[arch-security] [ASA-201505-9] qemu: arbitrary code execution

Levente Polyak anthraxx at archlinux.org
Thu May 14 12:29:15 UTC 2015


Arch Linux Security Advisory ASA-201505-9
=========================================

Severity: Critical
Date    : 2015-05-14
CVE-ID  : CVE-2015-3456
Package : qemu
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package qemu before version 2.2.1-5 is vulnerable to arbitrary code
execution in the context of the host’s hypervisor process.

Resolution
==========

Upgrade to 2.2.1-5.

# pacman -Syu "qemu>=2.2.1-5"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

The guest operating system communicates with the FDC by sending commands
such as seek, read, write, format, etc. to the FDC’s input/output port.
QEMU’s virtual FDC uses a fixed-size buffer for storing these commands
and their associated data parameters. The FDC keeps track of how much
data to expect for each command and, after all expected data for a given
command is received from the guest system, the FDC executes the command
and clears the buffer for the next command.

This buffer reset is performed immediately at the completion of
processing for all FDC commands, except for two of the defined commands.
An attacker can send these commands and specially crafted parameter data
from the guest system to the FDC to overflow the data buffer and execute
arbitrary code in the context of the host’s hypervisor process.


Impact
======

A remote attacker is able to send FDC commands and specially crafted
parameter data from the guest system to overflow the data buffer and
execute arbitrary code in the context of the host’s hypervisor process.

References
==========

https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
https://github.com/qemu/qemu/commit/e90774626
https://bugs.archlinux.org/task/44954

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150514/557e65c8/attachment.asc>


More information about the arch-security mailing list