QEMU and KVM Cirrus VGA buffer overflow
| qemu-kvm-cirrusvga-bo (47736) |  High Risk |
Description:
QEMU and KVM (Kernel-based Virtual Machine) are vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the cirrus_invalidate_region() function of the Cirrus VGA driver. By connecting using the VNC console, a local attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.
*CVSS:
| Base Score: | 4.6 |
| Access Vector: | Local |
| Access Complexity: | Low |
| Authentication: | None |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 3.4 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
For QEMU:
Apply the patch available from the QEMU SVN Repository. See References.
For other distributions:
Apply the appropriate update for your system. See References.
References:
- FEDORA-2008-11705 : [SECURITY] Fedora 9 Update: kvm-65-15.fc9.
- Linux Kernel GIT Repository: git.kernel.dk Git - qemu.git/commitdiff.
- linux.debian.changes.devel Web page: Accepted qemu 0.9.1+svn20081101-1 (source amd64) - linux.debian.changes.devel.
- qemu package Web page: qemu 0.9.1+svn20081112-1ubuntu1 (source) in ubuntu jaunty.
- QEMU SVN Repository: project qemu - Revision 5587.
- Red Hat Bugzilla ¿ Bug 466890: CVE-2008-4539 kvm/qemu/xen: Incomplete upstream fix for CVE-2007-1320.
- Secure testing commits Mailing List, 2008-11-03 09:25:17 +0000 (Mon, 03 Nov 2008) : r10251 - data/CVE.
- CVE-2008-4539: Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX bitblt heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.
- DSA-1799: qemu -- several vulnerabilities
- SA25073: QEMU Various Vulnerabilities
- SA29129: KVM Block Device Backend Security Bypass
- SA33350: Fedora update for kvm
- SUSE-SR:2009:008: SUSE Security Summary Report
- USN-776-1: KVM vulnerabilities
- USN-776-2: KVM regression
Platforms Affected:
- Canonical Ubuntu 8.04 LTS
- Canonical Ubuntu 8.10
- Debian Debian Linux 4.0
- Debian Debian Linux 5.0
- Fabrice Bellard QEMU
- FedoraProject Fedora Core 9
- KVM Qumranet KVM 1
- KVM Qumranet KVM 10
- KVM Qumranet KVM 11
- KVM Qumranet KVM 12
- KVM Qumranet KVM 13
- KVM Qumranet KVM 14
- KVM Qumranet KVM 15
- KVM Qumranet KVM 16
- KVM Qumranet KVM 17
- KVM Qumranet KVM 18
- KVM Qumranet KVM 19
- KVM Qumranet KVM 2
- KVM Qumranet KVM 20
- KVM Qumranet KVM 21
- KVM Qumranet KVM 22
- KVM Qumranet KVM 23
- KVM Qumranet KVM 24
- KVM Qumranet KVM 25
- KVM Qumranet KVM 26
- KVM Qumranet KVM 27
- KVM Qumranet KVM 28
- KVM Qumranet KVM 29
- KVM Qumranet KVM 3
- KVM Qumranet KVM 30
- KVM Qumranet KVM 31
- KVM Qumranet KVM 32
- KVM Qumranet KVM 33
- KVM Qumranet KVM 34
- KVM Qumranet KVM 35
- KVM Qumranet KVM 36
- KVM Qumranet KVM 37
- KVM Qumranet KVM 38
- KVM Qumranet KVM 39
- KVM Qumranet KVM 4
- KVM Qumranet KVM 40
- KVM Qumranet KVM 41
- KVM Qumranet KVM 42
- KVM Qumranet KVM 43
- KVM Qumranet KVM 44
- KVM Qumranet KVM 45
- KVM Qumranet KVM 46
- KVM Qumranet KVM 47
- KVM Qumranet KVM 48
- KVM Qumranet KVM 49
- KVM Qumranet KVM 5
- KVM Qumranet KVM 50
- KVM Qumranet KVM 51
- KVM Qumranet KVM 52
- KVM Qumranet KVM 53
- KVM Qumranet KVM 54
- KVM Qumranet KVM 55
- KVM Qumranet KVM 56
- KVM Qumranet KVM 57
- KVM Qumranet KVM 58
- KVM Qumranet KVM 59
- KVM Qumranet KVM 6
- KVM Qumranet KVM 60
- KVM Qumranet KVM 61
- KVM Qumranet KVM 62
- KVM Qumranet KVM 63
- KVM Qumranet KVM 64
- KVM Qumranet KVM 65
- KVM Qumranet KVM 66
- KVM Qumranet KVM 67
- KVM Qumranet KVM 68
- KVM Qumranet KVM 69
- KVM Qumranet KVM 7
- KVM Qumranet KVM 70
- KVM Qumranet KVM 71
- KVM Qumranet KVM 72
- KVM Qumranet KVM 73
- KVM Qumranet KVM 74
- KVM Qumranet KVM 75
- KVM Qumranet KVM 76
- KVM Qumranet KVM 77
- KVM Qumranet KVM 78
- KVM Qumranet KVM 79
- KVM Qumranet KVM 80
- KVM Qumranet KVM 81
Reported:
Sep 11, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.