CVE-2015-3456 – QEMU - Floppy Disk Controller (FDC) (PoC)
https://notcve.org/view.php?id=CVE-2015-3456
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. Floppy Disk Controller (FDC) en QEMU, utilizado en Xen 4.5.x y anteriores y KVM, permite a usuarios locales invitados causar una denegación de servicio (escritura fuera de rango y caída del invitado) o posiblemente ejecutar código arbitrario a través de (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, u otros comandos sin especificar, también conocido como VENOM. An out-of-bounds memory access flaw was found in the way QEMU's virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. • https://www.exploit-db.com/exploits/37053 http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=e907746266721f305d67bc0718795fedee2e824c http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10693 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158072.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00014.html http:/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-1779 – qemu: vnc: insufficient resource limiting in VNC websockets decoder
https://notcve.org/view.php?id=CVE-2015-1779
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. El decodificador de frames websocket VNC en QEMU permite a atacantes remotos causar una denegación de servicio (consumo de CPU y memoria) a través de una gran (1) carga útil websocket o (2) sección de cabeceras HTTP It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154656.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155196.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00042.html http://rhn.redhat.com/errata/RHSA-2015-1931.html http://rhn.redhat.com/errata/RHSA-2015-1943.html http://www.debian.org/security/2015/dsa-3259 http://www.openwall.com/lists/oss-secu • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2014-9718
https://notcve.org/view.php?id=CVE-2014-9718
The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions. Las interfaces (1) BMDMA y (2) AHCI HBA en la funcionalidad IDE en QEMU 1.0 hasta 2.1.3 tienen múltiples interpretaciones del valor de retorno de una función, lo que permite a usarios del sistema operativo invitado causar una denegación de servicio en el sistema operativo del anfitrión (corrupción de memoria o bucle infinito, y caída del sistema) a través de un PRDT sin ningun sector completo, relacionado con las funciones bmdma_prepare_buf y ahci_dma_prepare_buf. • http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=3251bdcf1c67427d964517053c3d185b46e618e8 http://openwall.com/lists/oss-security/2015/04/20/7 http://www.debian.org/security/2015/dsa-3259 http://www.securityfocus.com/bid/73316 • CWE-399: Resource Management Errors •
CVE-2014-7840 – qemu: insufficient parameter validation during ram load
https://notcve.org/view.php?id=CVE-2014-7840
The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. La función host_from_stream_offset en arch_init.c en QEMU, cuando carga RAM durante la migración, permite a atacantes remotos ejecutar código arbitrario a través de un valor (1) offset o (2) length manipulado en datos savevm. It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. • http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=0be839a2701369f669532ea5884c15bead1c6e08 http://rhn.redhat.com/errata/RHSA-2015-0349.html http://rhn.redhat.com/errata/RHSA-2015-0624.html http://thread.gmane.org/gmane.comp.emulators.qemu/306117 https://bugzilla.redhat.com/show_bug.cgi?id=1163075 https://exchange.xforce.ibmcloud.com/vulnerabilities/99194 https://access.redhat.com/security/cve/CVE-2014-7840 • CWE-20: Improper Input Validation CWE-122: Heap-based Buffer Overflow •
CVE-2014-3471
https://notcve.org/view.php?id=CVE-2014-3471
Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices. Vulnerabilidad de uso de memoria previamente liberada en hw/pci/pcie.c en QEMU (también conocido como Quick Emulator) permite que usuarios invitados locales del sistema operativo provoquen una denegación de servicio (cierre inesperado de la instancia QEMU) mediante las operaciones hotplug y hotunplug de los dispositivos Virtio orientados a bloques. • http://security.gentoo.org/glsa/glsa-201412-01.xml http://www.openwall.com/lists/oss-security/2014/06/23/4 http://www.securityfocus.com/bid/68145 https://bugzilla.redhat.com/show_bug.cgi?id=1112271 https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg05283.html • CWE-416: Use After Free •