CVE-2015-7512

Qemu: net: pcnet: buffer overflow in non-loopback mode

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.

Desbordamiento de buffer en la función pcnet_receive en hw/net/pcnet.c en QEMU, cuando un NIC invitado tiene un MTU más grande, permite a atacantes provocar una denegación de servicio (caída de SO invitado) o ejecutar código arbitrario a través de un paquete grande.

A buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation validated certain received packets from a remote host in non-loopback mode. A remote, unprivileged attacker could potentially use this flaw to execute arbitrary code on the host with the privileges of the QEMU process. Note that to exploit this flaw, the guest network interface must have a large MTU limit.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-09-29 CVE Reserved
2015-12-03 CVE Published
2024-08-06 CVE Updated
2024-09-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-122: Heap-based Buffer Overflow

CAPEC

References (14)

URL	Tag	Source
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=8b98a2f07175d46c3f7217639bd5e03f	X_refsource_confirm
http://www.openwall.com/lists/oss-security/2015/11/30/3	Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	Third Party Advisory
http://www.securityfocus.com/bid/78230	Third Party Advisory
http://www.securitytracker.com/id/1034527	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2015-2694.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2015-2695.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2015-2696.html	2023-02-13
http://www.debian.org/security/2016/dsa-3469	2023-02-13
http://www.debian.org/security/2016/dsa-3470	2023-02-13
http://www.debian.org/security/2016/dsa-3471	2023-02-13
https://security.gentoo.org/glsa/201602-01	2023-02-13
https://access.redhat.com/security/cve/CVE-2015-7512	2015-12-22
https://bugzilla.redhat.com/show_bug.cgi?id=1285061	2015-12-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"	Openstack Search vendor "Redhat" for product "Openstack"	5.0 Search vendor "Redhat" for product "Openstack" and version "5.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"	6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"	-	Safe
Redhat Search vendor "Redhat"	Virtualization Search vendor "Redhat" for product "Virtualization"	3.0 Search vendor "Redhat" for product "Virtualization" and version "3.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"	6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"	-	Safe
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				<= 2.4.1 Search vendor "Qemu" for product "Qemu" and version " <= 2.4.1"		-		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				2.5.0 Search vendor "Qemu" for product "Qemu" and version "2.5.0"		rc0		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				2.5.0 Search vendor "Qemu" for product "Qemu" and version "2.5.0"		rc1		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				2.5.0 Search vendor "Qemu" for product "Qemu" and version "2.5.0"		rc2		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				6.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				6.7 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "6.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				6.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				6 Search vendor "Oracle" for product "Linux" and version "6"		-		Affected