Multiple vulnerabilities in QEMU
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 15 |
| CVE-ID | CVE-2016-9603 CVE-2017-7377 CVE-2017-7471 CVE-2017-7493 CVE-2017-7718 CVE-2017-7980 CVE-2017-8086 CVE-2017-8112 CVE-2017-8309 CVE-2017-8379 CVE-2017-8380 CVE-2017-9060 CVE-2017-9310 CVE-2017-9330 CVE-2017-2630 |
| CWE-ID | CWE-122 CWE-119 CWE-284 CWE-125 CWE-787 CWE-835 CWE-121 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
QEMU Client/Desktop applications / Virtualization software |
| Vendor | QEMU |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU6934
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-9603
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionQuick Emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator and the VNC display driver support is vulnerable to a heap buffer overflow issue. It could occur when Vnc client attempts to update its display after a vga operation is performed by a guest. A privileged user/process inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially leverage it to execute arbitrary code on the host with privileges of the Qemu process.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commit;h=50628d3479e4f9aa97e323506856e394fe7ad7a6
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU6935
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7377
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.15.2 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commit;h=d63fb193e71644a073b77ff5ac6f1216f2f6cf6e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU6936
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7471
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionQuick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.15.2 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commitdiff;h=9c6b899f7a46893ab3b671e341a2234e9c0c060e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU6937
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7493
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionQuick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2017-05/msg03663.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU6938
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7718
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Descriptionhw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commit;h=215902d7b6fb50c6fc216fc74f770858278ed904
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds write
EUVDB-ID: #VU6939
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7980
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionQuick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds r/w access issues. It could occur while copying VGA data via various bitblt functions. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on a host with privileges of Qemu process on the host.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commitdiff;h=ffaf857778286ca54e3804432a2369a279e73aa7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory corruption
EUVDB-ID: #VU6940
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8086
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionMemory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commit;h=4ffcdef4277a91af15a3c09f7d16af072c29f3f2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Infinite loop
EUVDB-ID: #VU6941
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8112
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
Descriptionhw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04578.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Memory corruption
EUVDB-ID: #VU6942
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8309
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionMemory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory corruption
EUVDB-ID: #VU6943
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8379
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionMemory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds read
EUVDB-ID: #VU6944
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8380
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionQuick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support is vulnerable to an out-of-bounds read access issue. It could occur while performing a MMIO write operation. A privileged user inside guest could use this flaw to read host memory leading to potentially crash the Qemu process on the host.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory corruption
EUVDB-ID: #VU6945
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9060
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionMemory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commit;h=dd248ed7e204ee8a1873914e02b8b526e8f1b80d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Infinite loop
EUVDB-ID: #VU6946
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9310
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionQemu emulator built with the e1000e NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head(TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commitdiff;h=4154c7e03fa55b4cf52509a83d50d6c09d743b7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Infinite loop
EUVDB-ID: #VU6947
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9330
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionQuick Emulator built with the USB OHCI Emulation support is vulnerable to an infinite loop issue. It could occur while processing an endpoint list descriptor in ohci_service_ed_list(). A guest user/process could use this flaw to crash Qemu process resulting in DoS.
MitigationUpdate to version 2.9.0-r2.
Vulnerable software versionsQEMU: 0.1 - 2.9.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commitdiff;h=26f670a244982335cc08943fb1ec099a2c81e42d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Stack-based buffer overflow
EUVDB-ID: #VU14205
Risk: High
CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-2630
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists in Quick Emulator (QEMU) configured with network block device (NBD) client support due to improper processing of an NBD server's response to an NBD_OPT_LIST request sent from an affected NBD client. A remote attacker can trick the user on an NBD client into sending an NBD_OPT_LIST request to the attacker-controlled NBD serverб trigger stack-based buffer overflow and cause the service to crash or execute arbitrary code on the targeted NBD client with elevated privileges.
MitigationUpdate to version 2.9 or later.
QEMU: 2.0 - 2.8.1.1
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2017-03/msg01455.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
