SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   QEMU Vendors:   QEMU.org
(CentOS Issues Fix for QEMU) Xen Heap Overflow in QEMU PCNET Controller Lets Local Guest Users Gain Privileges on the Host System
SecurityTracker Alert ID:  1032608
SecurityTracker URL:  http://securitytracker.com/id/1032608
CVE Reference:   CVE-2015-3209   (Links to External Site)
Date:  Jun 18 2015
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Xen. A local user on a guest system can obtain privileges on the target host system. QEMU is affected.

A local user on a guest system can exploit a flaw in the QEMU PCNET device controller and trigger a heap overflow to execute arbitrary code on the target host system with the privileges of the QEMU process.

A user can send a specially crafted frame marked as TXSTATUS_STARTPACKET but not TXSTATUS_ENDPACKET and then a frame marked as TXSTATUS_DEVICEOWNS but without the TXSTATUS_STARTPACKET bits to trigger the overflow.

A guest system that has access to an emulated PCNET network device (e.g. with "model=pcnet" in the VIF configuration) can exploit this flaw.

Systems running x86 HVM guests without stubdomains and that have been configured to use the PCNET emulated driver model are affected.

The default configuration is not affected.

Systems running only PV guests are not affected.

ARM systems are not affected.

Matt Tait of Google reported this vulnerability.

Impact:   A local user on a guest system can obtain privileges on the target host system.
Solution:   CentOS has issued a fix for QEMU.

i386:
f8d6bb87b54a05956cc46daa08aac5a396caeb5606382ad41727892e656ffb53 qemu-guest-agent-0.12.1.2-2.448.el6_6.4.i686.rpm

x86_64:
7066bac5fd89957feeb063713b3a87f9a2a8098f19d875417b1523976570a02b qemu-guest-agent-0.12.1.2-2.448.el6_6.4.x86_64.rpm
a38e60d3e2ad9496185f4a6873be55916ddbaab38f6e27fe64f3dfd07862b978 qemu-img-0.12.1.2-2.448.el6_6.4.x86_64.rpm
d14a788d206d97466c26c0be1c33eeb30724511fd639b1ba61257dc00a00db25 qemu-kvm-0.12.1.2-2.448.el6_6.4.x86_64.rpm
978eace6168837b2f3cd7f62d42f586d3ce1e25e75ee8cfbef09cbb70cd87633 qemu-kvm-tools-0.12.1.2-2.448.el6_6.4.x86_64.rpm

Source:
96a9c268cb3ccdded1cc1a8ce3d97ea6f3ab22891ef32428dd2c1e5af4d41b47 qemu-kvm-0.12.1.2-2.448.el6_6.4.src.rpm

Vendor URL:  xenbits.xen.org/xsa/advisory-135.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6

Message History:   This archive entry is a follow-up to the message listed below.
Jun 10 2015 Xen Heap Overflow in QEMU PCNET Controller Lets Local Guest Users Gain Privileges on the Host System



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1087 Important CentOS 6 qemu-kvm Security Update


CentOS Errata and Security Advisory 2015:1087 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1087.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
f8d6bb87b54a05956cc46daa08aac5a396caeb5606382ad41727892e656ffb53  qemu-guest-agent-0.12.1.2-2.448.el6_6.4.i686.rpm

x86_64:
7066bac5fd89957feeb063713b3a87f9a2a8098f19d875417b1523976570a02b  qemu-guest-agent-0.12.1.2-2.448.el6_6.4.x86_64.rpm
a38e60d3e2ad9496185f4a6873be55916ddbaab38f6e27fe64f3dfd07862b978  qemu-img-0.12.1.2-2.448.el6_6.4.x86_64.rpm
d14a788d206d97466c26c0be1c33eeb30724511fd639b1ba61257dc00a00db25  qemu-kvm-0.12.1.2-2.448.el6_6.4.x86_64.rpm
978eace6168837b2f3cd7f62d42f586d3ce1e25e75ee8cfbef09cbb70cd87633  qemu-kvm-tools-0.12.1.2-2.448.el6_6.4.x86_64.rpm

Source:
96a9c268cb3ccdded1cc1a8ce3d97ea6f3ab22891ef32428dd2c1e5af4d41b47  qemu-kvm-0.12.1.2-2.448.el6_6.4.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC