Main Vulnerability Database Vulnerabilities #VU14205

#VU14205 Stack-based buffer overflow in QEMU - CVE-2017-2630

Published: August 6, 2018 / Updated: August 7, 2018

Vulnerability identifier: #VU14205

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-2630

CWE-ID: CWE-121

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
QEMU

Software vendor:
QEMU

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The vulnerability exists in Quick Emulator (QEMU) configured with network block device (NBD) client support due to improper processing of an NBD server's response to an NBD_OPT_LIST request sent from an affected NBD client. A remote attacker can trick the user on an NBD client into sending an NBD_OPT_LIST request to the attacker-controlled NBD serverб trigger stack-based buffer overflow and cause the service to crash or execute arbitrary code on the targeted NBD client with elevated privileges.

Remediation

Update to version 2.9 or later.

External links

https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg01455.html

#VU14205 Stack-based buffer overflow in QEMU - CVE-2017-2630

Description

Remediation

External links

Please verify you're human