#VU11234 Divide by zero in QEMU - CVE-2017-17381
Vulnerability identifier: #VU11234
Vulnerability risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-369
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
QEMU
Client/Desktop applications /
Virtualization software
Vendor: QEMU
Description
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The weakness exists due to divide by zero when unsetting vring alignment while updating Virtio rings. An adjacent attacker can cause the service to crash.
Mitigation
Update to version 2.11.1 or later.
Vulnerable software versions
QEMU: 2.8.0 - 2.11.0
External links
https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
