#VU11818 Improper input validation in QEMU - CVE-2017-13673


| Updated: 2018-04-13

Vulnerability identifier: #VU11818

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-13673

CWE-ID: CWE-20

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
QEMU
Client/Desktop applications / Virtualization software

Vendor: QEMU

Description

The vulnerability allows an adjacent authenticated attacker to cause DoS condition on the target system.

The vulnerability exists in the vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode in the cpu_physical_memory_snapshot_get_dirty function due to assertion failure. An adjacent attacker can cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

QEMU: All versions

External links
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bfc56535f793c557aa754c50213fc5f882e6482d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for qemu
Red Hat update for qemu
Red Hat update for qemu-kvm-rhev
Fedora 25 update for xen
Fedora 26 update for xen
Fedora 25 update for xen
Fedora 26 update for xen
Fedora 27 update for xen