CVE-2017-2620
Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo
Severity Score
9.9
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.
Quick emulator (QEMU) en versiones anteriores a la 2.8 construido con el soporte del emulador Cirrus CLGD 54xx VGA Emulator es vulnerable a un problema de acceso fuera de límites. El problema puede ocurrir al copiar datos VGA en cirrus_bitblt_cputovideo. Un usuario privilegiado dentro de guest podría usar esta vulnerabilidad para bloquear el proceso de QEMU o potencialmente ejecutar código arbitrario en el host con privilegios del proceso de QEMU.
Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.
KVM is a full virtualization solution for Linux on x86 hardware. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Security Fix: Quick emulator built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2016-12-01 CVE Reserved
- 2017-02-27 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
CAPEC
References (25)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2017/02/21/1 | Mailing List |
|
| http://www.securityfocus.com/bid/96378 | Third Party Advisory | |
| http://www.securitytracker.com/id/1037870 | Third Party Advisory | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2620 | Issue Tracking | |
| https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html | Mailing List |
|
| https://support.citrix.com/article/CTX220771 | Third Party Advisory | |
| https://xenbits.xen.org/xsa/advisory-209.html | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2017-0328.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0329.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0330.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0331.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0332.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0333.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0334.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0350.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0351.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0352.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0396.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2017-0454.html | 2023-11-07 | |
| https://security.gentoo.org/glsa/201703-07 | 2023-11-07 | |
| https://security.gentoo.org/glsa/201704-01 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2017-2620 | 2017-03-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1420484 | 2017-03-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | < 2.8.0 Search vendor "Qemu" for product "Qemu" and version " < 2.8.0" | - |
Affected
| ||||||
| Citrix Search vendor "Citrix" | Xenserver Search vendor "Citrix" for product "Xenserver" | 6.0.2 Search vendor "Citrix" for product "Xenserver" and version "6.0.2" | - |
Affected
| ||||||
| Citrix Search vendor "Citrix" | Xenserver Search vendor "Citrix" for product "Xenserver" | 6.2.0 Search vendor "Citrix" for product "Xenserver" and version "6.2.0" | sp1 |
Affected
| ||||||
| Citrix Search vendor "Citrix" | Xenserver Search vendor "Citrix" for product "Xenserver" | 6.5 Search vendor "Citrix" for product "Xenserver" and version "6.5" | sp1 |
Affected
| ||||||
| Citrix Search vendor "Citrix" | Xenserver Search vendor "Citrix" for product "Xenserver" | 7.0 Search vendor "Citrix" for product "Xenserver" and version "7.0" | - |
Affected
| ||||||
| Citrix Search vendor "Citrix" | Xenserver Search vendor "Citrix" for product "Xenserver" | 7.1 Search vendor "Citrix" for product "Xenserver" and version "7.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 5.0 Search vendor "Redhat" for product "Openstack" and version "5.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 6.0 Search vendor "Redhat" for product "Openstack" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 7.0 Search vendor "Redhat" for product "Openstack" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 8 Search vendor "Redhat" for product "Openstack" and version "8" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 9 Search vendor "Redhat" for product "Openstack" and version "9" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 10 Search vendor "Redhat" for product "Openstack" and version "10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus" | 7.3 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus" | 7.4 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus" | 7.3 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus" | 7.4 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus" | 7.5 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0" | - |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | <= 4.7.1 Search vendor "Xen" for product "Xen" and version " <= 4.7.1" | - |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.7.1 Search vendor "Xen" for product "Xen" and version "4.7.1" | r1 |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.7.1 Search vendor "Xen" for product "Xen" and version "4.7.1" | r2 |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.7.1 Search vendor "Xen" for product "Xen" and version "4.7.1" | r3 |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.7.1 Search vendor "Xen" for product "Xen" and version "4.7.1" | r4 |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.7.1 Search vendor "Xen" for product "Xen" and version "4.7.1" | r5 |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.7.1 Search vendor "Xen" for product "Xen" and version "4.7.1" | r6 |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.7.1 Search vendor "Xen" for product "Xen" and version "4.7.1" | r7 |
Affected
| ||||||