#VU12163 Memory leak in QEMU - CVE-2017-15268

Cybersecurity Help s.r.o.

Published: 2018-04-16 | Updated: 2018-04-25

Vulnerability identifier: #VU12163

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-15268

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
QEMU
Client/Desktop applications / Virtualization software

Vendor: QEMU

Description

The vulnerability allows a remote attacker to cause DoІ condition on the target system.

The weakness exists in io/channel-websock.c due to memory leak in slow data-channel read operations. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation
Update to version 2.10.1.

Vulnerable software versions

QEMU: 2.10.0

External links
https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02278.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for qemu-kvm

Debian update for qemu

Red Hat update for qemu-kvm-rhev

Red Hat update for qemu-kvm

Denial of service in QEMU