QEMU AMD PCnet Ethernet Emulation Heap Based Buffer Overflow Vulnerability

QEMU is prone to a heap-based buffer-overflow vulnerability.

Successful exploits may allow attackers to execute arbitrary code on the host with the privileges of the hosting QEMU process. Failed attacks will cause denial-of-service conditions.

Information

Bugtraq ID: 75123
Class: Boundary Condition Error
CVE: CVE-2015-3209

Remote: Yes
Local: No
Published: Jun 10 2015 12:00AM
Updated: Apr 13 2017 02:05PM
Credit: Matt Tait of Google's Project Zero security team.
Vulnerable: Xen Xen 4.5.0
Xen Xen 4.4.1
Xen Xen 4.4.0
Xen Xen 4.4
Xen Xen 4.3.1
Xen Xen 4.3.0
Xen Xen 4.3
Xen Xen 4.2.3
Xen Xen 4.2.2
Xen Xen 4.2.1
Xen Xen 4.2.0
Xen Xen 4.2
Ubuntu Ubuntu Linux 15.04
Ubuntu Ubuntu Linux 14.10
Ubuntu Ubuntu Linux 14.04 LTS
Ubuntu Ubuntu Linux 12.04 LTS i386
Ubuntu Ubuntu Linux 12.04 LTS amd64
SuSE SUSE Linux Enterprise Software Development Kit 11 SP3
+ Linux kernel 2.6.5
SuSE SUSE Linux Enterprise Server 11 SP3
+ Linux kernel 2.6.5
SuSE SUSE Linux Enterprise Server 11 SP1 LTSS
+ Linux kernel 2.6.5
+ Linux kernel 2.6.5
SuSE SUSE Linux Enterprise Server 10 SP4 LTSS
+ Linux kernel 2.6.5
SuSE Linux Enterprise Server 11 SP2 LTSS
SuSE Linux Enterprise Desktop 11 SP3
S.u.S.E. openSUSE 13.2
S.u.S.E. openSUSE 13.1
Redhat OpenStack 5.0 for RHEL 6
Redhat Enterprise Virtualization 3
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Virtualization 5 Server
Redhat Enterprise Linux Server EUS 6.6.z
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node 6
Redhat Enterprise Linux Desktop Multi OS 5 client
Redhat Enterprise Linux Desktop 6
QEMU QEMU 0
Oracle Enterprise Linux 6.2
Oracle Enterprise Linux 6
Oracle Enterprise Linux 5
Juniper NorthStar Controller Application 2.1.0
Gentoo Linux
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
CentOS CentOS 6
CentOS CentOS 5
Avaya Aura System Platform 6.2.2
Avaya Aura System Platform 6.2.1
Avaya Aura System Platform 6.0.2
Avaya Aura System Platform 6.0.1
Avaya Aura System Platform 6.3
Avaya Aura System Platform 6.2
Avaya Aura System Platform 6.0.3.9.3
Avaya Aura System Platform 6.0.3.8.3
Avaya Aura System Platform 6.0.3.0.3
Avaya Aura System Platform 6.0

Not Vulnerable: Juniper NorthStar Controller Application 2.1.0 Service Pack 1

References:

• [Qemu-devel] [PULL 1/1] pcnet: force the buffer access to be in bounds during tx (mail-archive)
  
• Bug 1225882 - (CVE-2015-3209, xsa135) CVE-2015-3209 qemu: pcnet: multi-tmd buffe (Red Hat Bugzilla)
  
• QEMU Homepage (QEMU)
  
• 2107-04 Security Bulletin: Multiple Vulnerabilities in NorthStar Controller Appl (juniper)
  
• Heap overflow in QEMU PCNET controller, allowing guest->host escape (Xen)
  
• Important: qemu-kvm security update (Red Hat)
  
• Important: qemu-kvm-rhev security update (Red Hat)
  
• Important: qemu-kvm-rhev security update (Red Hat)
  
• kvm security update (RHSA-2015-1189) (Avaya)
  

Source: www.securityfocus.com