Resource management error in qemu (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-9718 |
| CWE-ID | CWE-399 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
qemu (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Resource management error
EUVDB-ID: #VU32424
Risk: Low
CVSSv3.1: 5.4 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-9718
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.
MitigationInstall update from vendor's website.
Vulnerable software versionsqemu (Alpine package): 2.1.2-r2 - 2.1.2-r4
CPE2.3- cpe:2.3:o:alpine:qemu_alpine_package:2.1.2-r3:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:qemu_alpine_package:2.1.2-r4:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:qemu_alpine_package:2.1.2-r2:*:*:*:*:alpine_linux:*:
http://git.alpinelinux.org/aports/commit/?id=00ade249b3e02a57b1913c988b3d9213f37aca80
http://git.alpinelinux.org/aports/commit/?id=6f103bd1f36f0a25e39a28a766d664ad942d0346
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
