CVE-2008-1945
qemu/kvm/xen: add image format options for USB storage and removable media
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.
QEMU 0.9.0 no maneja apropiadamente cambio de medios extraíbles, lo cual permite a usuarios invitados del sistema operativo leer ficheros de su elección en el Host del sistema operativo utilizando el diskformat: parámetro en la opción -usbdevice para modificar la cabecera disk-image para identificar un formato diferente, una cuestión relacionada a CVE-2008-2004.
Multiple vulnerabilities have been found in Qemu. Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to attempting to mark non-existent regions as dirty, aka the bitblt heap overflow. Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 receive integer signedness error. QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by aam 0x0, which triggers a divide-by-zero error. The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 mtu heap overflow. Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the net socket listen option, aka QEMU net socket heap overflow. QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an overflow, via certain Windows executable programs, as demonstrated by qemu-dos.com. Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. Changing removable media in QEMU could trigger a bug similar to CVE-2008-2004, which would allow local guest users to read arbitrary files on the host by modifying the header of the image to identify a different format. the -usbdevice option. The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. The updated packages have been patched to fix these issues.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2008-04-24 CVE Reserved
- 2008-08-08 CVE Published
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/32063 | Third Party Advisory | |
| http://secunia.com/advisories/32088 | Third Party Advisory | |
| http://secunia.com/advisories/34642 | Third Party Advisory | |
| http://secunia.com/advisories/35031 | Third Party Advisory | |
| http://secunia.com/advisories/35062 | Third Party Advisory | |
| http://www.securityfocus.com/bid/30604 | Third Party Advisory | |
| http://www.securitytracker.com/id?1020959 | Third Party Advisory | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/44269 | Third Party Advisory | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9905 | Signature |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html | 2020-12-16 | |
| http://www.debian.org/security/2009/dsa-1799 | 2020-12-16 | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2008:162 | 2020-12-16 | |
| http://www.ubuntu.com/usn/usn-776-1 | 2020-12-16 | |
| https://rhn.redhat.com/errata/RHSA-2008-0892.html | 2020-12-16 | |
| https://access.redhat.com/security/cve/CVE-2008-1945 | 2008-10-01 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=445844 | 2008-10-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | 0.9.0 Search vendor "Qemu" for product "Qemu" and version "0.9.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 10.3 Search vendor "Opensuse" for product "Opensuse" and version "10.3" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 11.0 Search vendor "Opensuse" for product "Opensuse" and version "11.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 11.1 Search vendor "Opensuse" for product "Opensuse" and version "11.1" | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 10 Search vendor "Suse" for product "Linux Enterprise Server" and version "10" | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 11 Search vendor "Suse" for product "Linux Enterprise Server" and version "11" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 4.0 Search vendor "Debian" for product "Debian Linux" and version "4.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 8.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 5.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "5.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus" | 5.2 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "5.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 5.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "5.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 5.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "5.0" | - |
Affected
| ||||||