QEMU NE2000 emulator code execution

qemu-ne2000-code-execution (38238) The risk level is classified as HighHigh Risk

Description:

QEMU could allow a local attacker to execute arbitrary code on the vulnerable system, caused by an error in the NE2000 emulator. By writing an overly large Ethernet frame, a local attacker could exploit this vulnerability to possibly cause a heap-based buffer overflow and execute arbitrary code on the vulnerable system.

Platforms Affected:

  • Fabrice Bellard, QEMU 0.8.2
  • MandrakeSoft, Mandrake Linux 2007 X86_64
  • MandrakeSoft, Mandrake Linux 2007
  • MandrakeSoft, Mandrake Linux 2007.1
  • MandrakeSoft, Mandrake Linux 2007.1 X86_64
  • MandrakeSoft, Mandrake Linux 2008.0
  • MandrakeSoft, Mandrake Linux 2008.0 X86_64
  • MandrakeSoft, Mandrake Linux 2008.1 X86_64
  • MandrakeSoft, Mandrake Linux 2008.1
  • MandrakeSoft, Mandrake Linux Corporate Server 4.0
  • MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64

Remedy:

Contact your vendor for upgrade or patch information. See References.

Consequences:

Gain Access

References:

  • QEMU Web site, QEMU at http://fabrice.bellard.free.fr/qemu/.
  • BID-23731: QEMU Multiple Local Vulnerabilities
  • CVE-2007-5729: The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 mtu heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of NE2000 network driver and the socket code
  • MDKSA-2007:203: Updated xen packages fix multiple vulnerabilities
  • MDVSA-2008:162: qemu
  • SA25073: QEMU Various Vulnerabilities
  • SA29129: KVM Block Device Backend Security Bypass
  • SUSE-SR:2009:002: SUSE Security Summary Report
  • VUPEN/ADV-2007-1597: QEMU Data Handling Multiple Command Execution and Denial of Service Vulnerabilities

Reported:

Nov 01, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page