Multiple vulnerabilities in QEMU



| Updated: 2020-08-09
Risk High
Patch available NO
Number of vulnerabilities 36
CVE-ID CVE-2015-8345
CVE-2015-8619
CVE-2015-8504
CVE-2015-8568
CVE-2015-8613
CVE-2015-8666
CVE-2016-9907
CVE-2016-9908
CVE-2016-9911
CVE-2016-9912
CVE-2016-9921
CVE-2016-9923
CVE-2016-7466
CVE-2016-7422
CVE-2016-7421
CVE-2016-7170
CVE-2016-7157
CVE-2016-7156
CVE-2016-7155
CVE-2016-7116
CVE-2016-6888
CVE-2016-6836
CVE-2016-6835
CVE-2016-6834
CVE-2016-6833
CVE-2016-6490
CVE-2016-4964
CVE-2016-8669
CVE-2016-8667
CVE-2016-7423
CVE-2015-8558
CVE-2016-1568
CVE-2015-5158
CVE-2015-7295
CVE-2015-4106
CVE-2014-5388
CWE-ID CWE-399
CWE-787
CWE-20
CWE-401
CWE-121
CWE-119
CWE-400
CWE-200
CWE-369
CWE-416
CWE-476
CWE-125
CWE-22
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
QEMU
Client/Desktop applications / Virtualization software

Vendor QEMU

Security Bulletin

This security bulletin contains information about 36 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU39187

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8345

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local authenticated user to a crash the entire system.

The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.debian.org/security/2016/dsa-3469
http://www.debian.org/security/2016/dsa-3470
http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2015/11/25/11
http://www.securityfocus.com/bid/77985
http://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
http://security.gentoo.org/glsa/201602-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

EUVDB-ID: #VU39188

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8619

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2015/12/23/1
http://www.securityfocus.com/bid/79668
http://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html
http://security.gentoo.org/glsa/201604-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU39210

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8504

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8
http://www.debian.org/security/2016/dsa-3469
http://www.debian.org/security/2016/dsa-3470
http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2015/12/08/7
http://www.securityfocus.com/bid/78708
http://bugzilla.redhat.com/show_bug.cgi?id=1289541
http://security.gentoo.org/glsa/201602-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory leak

EUVDB-ID: #VU39211

Risk: Medium

CVSSv3.1: 5.1 [AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2015-8568

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. A remote attacker can perform a denial of service attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2015/12/15/10
http://www.securityfocus.com/bid/79721
http://bugzilla.redhat.com/show_bug.cgi?id=1289816
http://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html
http://security.gentoo.org/glsa/201602-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Stack-based buffer overflow

EUVDB-ID: #VU39212

Risk: Medium

CVSSv3.1: 5.1 [AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2015-8613

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a crafted SCSI controller CTRL_GET_INFO command. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2015/12/22/1
http://www.securityfocus.com/bid/79719
http://bugzilla.redhat.com/show_bug.cgi?id=1284008
http://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html
http://security.gentoo.org/glsa/201604-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU39213

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8666

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to a crash the entire system.

Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu-project.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb
http://www.openwall.com/lists/oss-security/2015/12/24/1
http://www.securityfocus.com/bid/79670
http://bugzilla.redhat.com/show_bug.cgi?id=1283722
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://security.gentoo.org/glsa/201602-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Resource exhaustion

EUVDB-ID: #VU39962

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9907

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.openwall.com/lists/oss-security/2016/12/08/3
http://www.securityfocus.com/bid/94759
http://access.redhat.com/errata/RHSA-2017:2392
http://access.redhat.com/errata/RHSA-2017:2408
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://security.gentoo.org/glsa/201701-49


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Information disclosure

EUVDB-ID: #VU39963

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9908

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.openwall.com/lists/oss-security/2016/12/08/4
http://www.securityfocus.com/bid/94761
http://security.gentoo.org/glsa/201701-49


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Resource exhaustion

EUVDB-ID: #VU39964

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9911

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.openwall.com/lists/oss-security/2016/12/08/5
http://www.securityfocus.com/bid/94762
http://access.redhat.com/errata/RHSA-2017:2392
http://access.redhat.com/errata/RHSA-2017:2408
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://security.gentoo.org/glsa/201701-49


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Resource exhaustion

EUVDB-ID: #VU39965

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9912

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.openwall.com/lists/oss-security/2016/12/08/6
http://www.securityfocus.com/bid/94760
http://security.gentoo.org/glsa/201701-49


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Division by zero

EUVDB-ID: #VU39966

Risk: Medium

CVSSv3.1: 6 [AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-9921

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to divide by zero error when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. A remote attacker can pass specially crafted file to the application and crash it.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.openwall.com/lists/oss-security/2016/12/09/1
http://www.securityfocus.com/bid/94803
http://access.redhat.com/errata/RHSA-2017:2392
http://access.redhat.com/errata/RHSA-2017:2408
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://security.gentoo.org/glsa/201701-49


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU39967

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9923

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.openwall.com/lists/oss-security/2016/12/09/2
http://www.securityfocus.com/bid/94827
http://security.gentoo.org/glsa/201701-49


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory leak

EUVDB-ID: #VU39979

Risk: Medium

CVSSv3.1: 5.5 [AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-7466

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device. A remote attacker can perform a denial of service attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=b53dd4495ced2432a0b652ea895e651d07336f7e
http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
http://www.openwall.com/lists/oss-security/2016/09/19/8
http://www.openwall.com/lists/oss-security/2016/09/20/3
http://www.securityfocus.com/bid/93029
http://access.redhat.com/errata/RHSA-2017:2392
http://access.redhat.com/errata/RHSA-2017:2408
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg02773.html
http://security.gentoo.org/glsa/201611-11


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) NULL pointer dereference

EUVDB-ID: #VU39980

Risk: Medium

CVSSv3.1: 5.5 [AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-7422

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a large I/O descriptor buffer length value.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=973e7170dddefb491a48df5cba33b2ae151013a0
http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
http://www.openwall.com/lists/oss-security/2016/09/16/10
http://www.openwall.com/lists/oss-security/2016/09/16/4
http://www.securityfocus.com/bid/92996
http://access.redhat.com/errata/RHSA-2017:2392
http://access.redhat.com/errata/RHSA-2017:2408
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Resource management error

EUVDB-ID: #VU39981

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7421

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=d251157ac1928191af851d199a9ff255d330bec9
http://www.openwall.com/lists/oss-security/2016/09/16/3
http://www.openwall.com/lists/oss-security/2016/09/16/9
http://www.securityfocus.com/bid/92998
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03609.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Out-of-bounds write

EUVDB-ID: #VU39982

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7170

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=167d97a3def77ee2dbf6e908b0ecbfe2103977db
http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
http://www.openwall.com/lists/oss-security/2016/09/09/4
http://www.openwall.com/lists/oss-security/2016/09/09/7
http://www.securityfocus.com/bid/92904
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01764.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Input validation error

EUVDB-ID: #VU39983

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7157

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=65a8e1f6413a0f6f79894da710b5d6d43361d27d
http://www.openwall.com/lists/oss-security/2016/09/06/4
http://www.openwall.com/lists/oss-security/2016/09/07/3
http://www.securityfocus.com/bid/92775
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04295.html
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04296.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Resource management error

EUVDB-ID: #VU39984

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7156

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8
http://www.openwall.com/lists/oss-security/2016/09/06/3
http://www.openwall.com/lists/oss-security/2016/09/07/2
http://www.securityfocus.com/bid/92774
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00772.html
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01246.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Out-of-bounds read

EUVDB-ID: #VU39985

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7155

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=7f61f4690dd153be98900a2a508b88989e692753
http://www.openwall.com/lists/oss-security/2016/09/06/2
http://www.openwall.com/lists/oss-security/2016/09/07/1
http://www.securityfocus.com/bid/92772
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Path traversal

EUVDB-ID: #VU39986

Risk: Medium

CVSSv3.1: 5.5 [AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-7116

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in hw/9pfs/9p.c in QEMU (aka Quick Emulator). A remote authenticated attacker can send a specially crafted HTTP request and local guest OS administrators to access host files outside the export path via a . (dot dot) in an unspecified string.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261
http://www.openwall.com/lists/oss-security/2016/08/30/1
http://www.openwall.com/lists/oss-security/2016/08/30/3
http://www.securityfocus.com/bid/92680
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg03917.html
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04231.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) NULL pointer dereference

EUVDB-ID: #VU39987

Risk: Low

CVSSv3.1: 4.1 [AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-6888

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=47882fa4975bf0b58dd74474329fdd7154e8f04c
http://www.openwall.com/lists/oss-security/2016/08/19/10
http://www.openwall.com/lists/oss-security/2016/08/19/6
http://www.securityfocus.com/bid/92556
http://access.redhat.com/errata/RHSA-2017:2392
http://access.redhat.com/errata/RHSA-2017:2408
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg03176.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Information disclosure

EUVDB-ID: #VU39988

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6836

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local privileged user to gain access to sensitive information.

The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=fdda170e50b8af062cf5741e12c4fb5e57a2eacf
http://www.openwall.com/lists/oss-security/2016/08/11/5
http://www.openwall.com/lists/oss-security/2016/08/18/5
http://www.securityfocus.com/bid/92444
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg02108.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Buffer overflow

EUVDB-ID: #VU39989

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6835

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged user to a crash the entire system.

The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=93060258ae748573ca7197204125a2670047896d
http://www.openwall.com/lists/oss-security/2016/08/11/7
http://www.openwall.com/lists/oss-security/2016/08/18/4
http://access.redhat.com/errata/RHSA-2017:2392
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://lists.gnu.org/archive/html/qemu-stable/2016-08/msg00077.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Resource management error

EUVDB-ID: #VU39990

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6834

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05
http://www.openwall.com/lists/oss-security/2016/08/11/8
http://www.openwall.com/lists/oss-security/2016/08/18/7
http://www.securityfocus.com/bid/92446
http://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01601.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Use-after-free

EUVDB-ID: #VU39991

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6833

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8
http://www.openwall.com/lists/oss-security/2016/08/12/1
http://www.openwall.com/lists/oss-security/2016/08/18/3
http://www.securityfocus.com/bid/93255
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01602.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Input validation error

EUVDB-ID: #VU39992

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6490

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=1e7aed70144b4673fc26e73062064b6724795e5f
http://www.openwall.com/lists/oss-security/2016/07/28/4
http://www.openwall.com/lists/oss-security/2016/07/28/9
http://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Input validation error

EUVDB-ID: #VU39993

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4964

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to a crash the entire system.

The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=06630554ccbdd25780aa03c3548aaff1eb56dffd
http://www.openwall.com/lists/oss-security/2016/05/24/4
http://www.openwall.com/lists/oss-security/2016/05/24/7
http://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04027.html
http://security.gentoo.org/glsa/201609-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Division by zero

EUVDB-ID: #VU40050

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8669

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a local privileged user to a crash the entire system.

The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=3592fe0c919cf27a81d8e9f9b4f269553418bb01
http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
http://www.openwall.com/lists/oss-security/2016/10/14/9
http://www.openwall.com/lists/oss-security/2016/10/15/5
http://www.securityfocus.com/bid/93563
http://access.redhat.com/errata/RHSA-2017:2392
http://access.redhat.com/errata/RHSA-2017:2408
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://security.gentoo.org/glsa/201611-11


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Division by zero

EUVDB-ID: #VU40051

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8667

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a local privileged user to a crash the entire system.

The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
http://www.openwall.com/lists/oss-security/2016/10/14/6
http://www.openwall.com/lists/oss-security/2016/10/15/4
http://www.securityfocus.com/bid/93567
http://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
http://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Out-of-bounds write

EUVDB-ID: #VU40074

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7423

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5
http://www.openwall.com/lists/oss-security/2016/09/16/11
http://www.openwall.com/lists/oss-security/2016/09/16/5
http://www.securityfocus.com/bid/92997
http://bugzilla.redhat.com/show_bug.cgi?id=1376776
http://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03604.html
http://security.gentoo.org/glsa/201611-11


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Input validation error

EUVDB-ID: #VU40267

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8558

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254
http://www.debian.org/security/2016/dsa-3469
http://www.debian.org/security/2016/dsa-3470
http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2015/12/14/16
http://www.openwall.com/lists/oss-security/2015/12/14/9
http://www.securityfocus.com/bid/80694
http://bugzilla.redhat.com/show_bug.cgi?id=1277983
http://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02124.html
http://security.gentoo.org/glsa/201602-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Input validation error

EUVDB-ID: #VU40395

Risk: High

CVSSv3.1: 7.8 [AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2016-1568

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows guest OS users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab
http://rhn.redhat.com/errata/RHSA-2016-0084.html
http://rhn.redhat.com/errata/RHSA-2016-0086.html
http://rhn.redhat.com/errata/RHSA-2016-0087.html
http://rhn.redhat.com/errata/RHSA-2016-0088.html
http://www.debian.org/security/2016/dsa-3469
http://www.debian.org/security/2016/dsa-3470
http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2016/01/09/1
http://www.openwall.com/lists/oss-security/2016/01/09/2
http://www.securityfocus.com/bid/80191
http://www.securitytracker.com/id/1034859
http://security.gentoo.org/glsa/201602-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Stack-based buffer overflow

EUVDB-ID: #VU40396

Risk: Medium

CVSSv3.1: 5.4 [AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2015-5158

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing an invalid opcode in a SCSI command descriptor block. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://www.securityfocus.com/bid/76016
http://www.securitytracker.com/id/1033095
http://lists.nongnu.org/archive/html/qemu-devel/2015-07/msg04558.html
http://security.gentoo.org/glsa/201510-02


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Buffer overflow

EUVDB-ID: #VU40605

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-7295

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169624.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169767.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169802.html
http://www.debian.org/security/2016/dsa-3469
http://www.debian.org/security/2016/dsa-3470
http://www.debian.org/security/2016/dsa-3471
http://www.openwall.com/lists/oss-security/2015/09/18/5
http://www.openwall.com/lists/oss-security/2015/09/18/9
http://www.securityfocus.com/bid/82672
http://security.gentoo.org/glsa/201602-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Improper access control

EUVDB-ID: #VU40723

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4106

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160154.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160171.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160685.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.html
http://support.citrix.com/article/CTX201145
http://www.debian.org/security/2015/dsa-3284
http://www.debian.org/security/2015/dsa-3286
http://www.securityfocus.com/bid/74949
http://www.securitytracker.com/id/1032467
http://www.ubuntu.com/usn/USN-2630-1
http://xenbits.xen.org/xsa/advisory-131.html
http://security.gentoo.org/glsa/201604-03
http://support.citrix.com/article/CTX206006


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Buffer overflow

EUVDB-ID: #VU41104

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-5388

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=fa365d7cd11185237471823a5a33d36765454e16
http://seclists.org/oss-sec/2014/q3/438
http://seclists.org/oss-sec/2014/q3/440
http://www.ubuntu.com/usn/USN-2409-1
http://bugzilla.redhat.com/show_bug.cgi?id=1132956
http://lists.gnu.org/archive/html/qemu-devel/2014-08/msg03338.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###