ID

VAR-201508-0166


CVE

CVE-2015-3214


TITLE

Linux Kernel and QEMU of i8254.c of pit_ioport_read Host in OS Vulnerabilities in arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2015-004512

DESCRIPTION

The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. QEMU is prone to a memory-corruption vulnerability because it fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code on the host with the privileges of the hosting QEMU process. Failed exploit attempts may result in a denial-of-service condition. The Linux kernel is the kernel used by the open source operating system Linux released by the American Linux Foundation. The NFSv4 implementation is one of the distributed file system protocols. QEMU (also known as Quick Emulator) is a set of analog processor software developed by French programmer Fabrice Bellard. The software has the characteristics of fast speed and cross-platform. There is a security vulnerability in the 'pit_ioport_read' function in the i8254.c file of Linux kernel 2.6.32 and earlier versions and QEMU 2.3.0 and earlier versions. The vulnerability is due to the fact that the program does not distinguish between read length and write length. Relevant releases/architectures: RHEV-H and VDSM for 7 Hosts - x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security and bug fix update Advisory ID: RHSA-2015:1507-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1507.html Issue date: 2015-07-27 CVE Names: CVE-2015-3214 CVE-2015-5154 ===================================================================== 1. Summary: Updated qemu-kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. (CVE-2015-5154) An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. (CVE-2015-3214) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting the CVE-2015-3214 issue. The CVE-2015-5154 issue was discovered by Kevin Wolf of Red Hat. This update also fixes the following bug: * Due to an incorrect implementation of portable memory barriers, the QEMU emulator in some cases terminated unexpectedly when a virtual disk was under heavy I/O load. This update fixes the implementation in order to achieve correct synchronization between QEMU's threads. As a result, the described crash no longer occurs. (BZ#1233643) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1229640 - CVE-2015-3214 qemu/kvm: i8254: out-of-bounds memory access in pit_ioport_read function 1243563 - CVE-2015-5154 qemu: ide: atapi: heap overflow during I/O buffer memory access 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: qemu-kvm-1.5.3-86.el7_1.5.src.rpm x86_64: libcacard-1.5.3-86.el7_1.5.i686.rpm libcacard-1.5.3-86.el7_1.5.x86_64.rpm qemu-img-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-common-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.i686.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-tools-1.5.3-86.el7_1.5.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: libcacard-devel-1.5.3-86.el7_1.5.i686.rpm libcacard-devel-1.5.3-86.el7_1.5.x86_64.rpm libcacard-tools-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.i686.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: qemu-kvm-1.5.3-86.el7_1.5.src.rpm x86_64: libcacard-1.5.3-86.el7_1.5.i686.rpm libcacard-1.5.3-86.el7_1.5.x86_64.rpm libcacard-devel-1.5.3-86.el7_1.5.i686.rpm libcacard-devel-1.5.3-86.el7_1.5.x86_64.rpm libcacard-tools-1.5.3-86.el7_1.5.x86_64.rpm qemu-img-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-common-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.i686.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-tools-1.5.3-86.el7_1.5.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: qemu-kvm-1.5.3-86.el7_1.5.src.rpm ppc64: qemu-img-1.5.3-86.el7_1.5.ppc64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.ppc64.rpm x86_64: libcacard-1.5.3-86.el7_1.5.i686.rpm libcacard-1.5.3-86.el7_1.5.x86_64.rpm qemu-img-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-common-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.i686.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-tools-1.5.3-86.el7_1.5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: libcacard-1.5.3-86.el7_1.5.ppc.rpm libcacard-1.5.3-86.el7_1.5.ppc64.rpm libcacard-devel-1.5.3-86.el7_1.5.ppc.rpm libcacard-devel-1.5.3-86.el7_1.5.ppc64.rpm libcacard-tools-1.5.3-86.el7_1.5.ppc64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.ppc.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.ppc64.rpm x86_64: libcacard-devel-1.5.3-86.el7_1.5.i686.rpm libcacard-devel-1.5.3-86.el7_1.5.x86_64.rpm libcacard-tools-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.i686.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: qemu-kvm-1.5.3-86.el7_1.5.src.rpm x86_64: libcacard-1.5.3-86.el7_1.5.i686.rpm libcacard-1.5.3-86.el7_1.5.x86_64.rpm qemu-img-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-common-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.i686.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-tools-1.5.3-86.el7_1.5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: libcacard-devel-1.5.3-86.el7_1.5.i686.rpm libcacard-devel-1.5.3-86.el7_1.5.x86_64.rpm libcacard-tools-1.5.3-86.el7_1.5.x86_64.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.i686.rpm qemu-kvm-debuginfo-1.5.3-86.el7_1.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3214 https://access.redhat.com/security/cve/CVE-2015-5154 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVtjQAXlSAg2UNWIIRAubOAJ9jPmZf7ZF+FHd+a7JxYxxRPAGx0wCgv5dX hlTFJ96W8Yn4W+ZR2yhsbBU= =i68a -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ============================================================================ Ubuntu Security Notice USN-2692-1 July 28, 2015 qemu vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS Summary: Several security issues were fixed in QEMU. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-5154) Zhu Donghai discovered that QEMU incorrectly handled the SCSI driver. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 15.04. (CVE-2015-5158) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: qemu-system 1:2.2+dfsg-5expubuntu9.3 qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.3 qemu-system-arm 1:2.2+dfsg-5expubuntu9.3 qemu-system-mips 1:2.2+dfsg-5expubuntu9.3 qemu-system-misc 1:2.2+dfsg-5expubuntu9.3 qemu-system-ppc 1:2.2+dfsg-5expubuntu9.3 qemu-system-sparc 1:2.2+dfsg-5expubuntu9.3 qemu-system-x86 1:2.2+dfsg-5expubuntu9.3 Ubuntu 14.04 LTS: qemu-system 2.0.0+dfsg-2ubuntu1.15 qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.15 qemu-system-arm 2.0.0+dfsg-2ubuntu1.15 qemu-system-mips 2.0.0+dfsg-2ubuntu1.15 qemu-system-misc 2.0.0+dfsg-2ubuntu1.15 qemu-system-ppc 2.0.0+dfsg-2ubuntu1.15 qemu-system-sparc 2.0.0+dfsg-2ubuntu1.15 qemu-system-x86 2.0.0+dfsg-2ubuntu1.15 After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes. CVE-2015-5165 Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap. CVE-2015-5225 Mr Qinghao Tang from QIHU 360 Inc. For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6a+deb7u9. The oldstable distribution is only affected by CVE-2015-5165 and CVE-2015-5745. For the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u2. For the unstable distribution (sid), these problems have been fixed in version 1:2.4+dfsg-1a. We recommend that you upgrade your qemu packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201510-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Arbitrary code execution Date: October 31, 2015 Bugs: #551752, #555680, #556050, #556052 ID: 201510-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A heap-based buffer overflow in QEMU could result in execution of arbitrary code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/qemu < 2.3.0-r4 >= 2.3.0-r4 Description =========== Heap-based buffer overflow has been found in QEMU's PCNET controller. Workaround ========== There is no known workaround at this time. Resolution ========== All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.3.0-r4" References ========== [ 1 ] CVE-2015-3209 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3209 [ 2 ] CVE-2015-3214 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3214 [ 3 ] CVE-2015-5154 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5154 [ 4 ] CVE-2015-5158 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5158 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201510-02 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Trust: 2.61

sources: NVD: CVE-2015-3214 // JVNDB: JVNDB-2015-004512 // BID: 75273 // VULHUB: VHN-81175 // VULMON: CVE-2015-3214 // PACKETSTORM: 132839 // PACKETSTORM: 132859 // PACKETSTORM: 132838 // PACKETSTORM: 132855 // PACKETSTORM: 133422 // PACKETSTORM: 134165

AFFECTED PRODUCTS

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:aristamodel:eosscope:eqversion:4.15

Trust: 1.0

vendor:redhatmodel:enterprise linux compute node eusscope:eqversion:7.7

Trust: 1.0

vendor:redhatmodel:enterprise linux server from rhuiscope:eqversion:7.0

Trust: 1.0

vendor:linuxmodel:kernelscope:lteversion:2.6.32

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endian eusscope:eqversion:7.7_ppc64

Trust: 1.0

vendor:qemumodel:qemuscope:lteversion:2.3.0

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endian eusscope:eqversion:7.2_ppc64

Trust: 1.0

vendor:redhatmodel:enterprise linux server ausscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server tusscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endian eusscope:eqversion:7.3_ppc64

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:7.0

Trust: 1.0

vendor:lenovomodel:emc px12-400r ivxscope:ltversion:1.0.10.33264

Trust: 1.0

vendor:redhatmodel:enterprise linux compute node eusscope:eqversion:7.4

Trust: 1.0

vendor:redhatmodel:enterprise linux server update services for sap solutionsscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:enterprise linux workstationscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server ausscope:eqversion:7.7

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:virtualizationscope:eqversion:3.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.1

Trust: 1.0

vendor:redhatmodel:enterprise linux compute node eusscope:eqversion:7.5

Trust: 1.0

vendor:redhatmodel:enterprise linux compute node eusscope:eqversion:7.3

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.2

Trust: 1.0

vendor:redhatmodel:enterprise linux server update services for sap solutionsscope:eqversion:7.2

Trust: 1.0

vendor:lenovomodel:emc px12-450r ivxscope:ltversion:1.0.10.33264

Trust: 1.0

vendor:redhatmodel:enterprise linux server tusscope:eqversion:7.7

Trust: 1.0

vendor:redhatmodel:openstackscope:eqversion:6.0

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endian eusscope:eqversion:7.4_ppc64

Trust: 1.0

vendor:redhatmodel:enterprise linux server update services for sap solutionsscope:eqversion:7.7

Trust: 1.0

vendor:redhatmodel:openstackscope:eqversion:5.0

Trust: 1.0

vendor:aristamodel:eosscope:eqversion:4.12

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.7

Trust: 1.0

vendor:redhatmodel:enterprise linux server ausscope:eqversion:7.4

Trust: 1.0

vendor:aristamodel:eosscope:eqversion:4.13

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endianscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server ausscope:eqversion:7.3

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endian eusscope:eqversion:7.6_ppc64

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endian eusscope:eqversion:7.5_ppc64

Trust: 1.0

vendor:redhatmodel:enterprise linux server update services for sap solutionsscope:eqversion:7.4

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.4

Trust: 1.0

vendor:redhatmodel:enterprise linux server tusscope:eqversion:7.3

Trust: 1.0

vendor:redhatmodel:enterprise linux compute node eusscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:enterprise linux for scientific computingscope:eqversion:7.0

Trust: 1.0

vendor:aristamodel:eosscope:eqversion:4.14

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.5

Trust: 1.0

vendor:redhatmodel:enterprise linux compute node eusscope:eqversion:7.1

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.3

Trust: 1.0

vendor:redhatmodel:enterprise linux server update services for sap solutionsscope:eqversion:7.3

Trust: 1.0

vendor:redhatmodel:enterprise linux compute node eusscope:eqversion:7.2

Trust: 1.0

vendor:redhatmodel:enterprise linux for power big endian eusscope:eqversion:7.1_ppc64

Trust: 1.0

vendor:fabrice bellardmodel:qemuscope:ltversion:2.3.1

Trust: 0.8

vendor:linuxmodel:kernelscope:ltversion:2.6.33

Trust: 0.8

vendor:linuxmodel:kernelscope:eqversion:2.6.32

Trust: 0.6

vendor:ubuntumodel:linuxscope:eqversion:15.04

Trust: 0.3

vendor:ubuntumodel:linux ltsscope:eqversion:14.04

Trust: 0.3

vendor:redhatmodel:enterprise virtualization hypervisorscope:eqversion:7

Trust: 0.3

vendor:redhatmodel:enterprise linux workstationscope:eqversion:7

Trust: 0.3

vendor:redhatmodel:enterprise linux serverscope:eqversion:7

Trust: 0.3

vendor:redhatmodel:enterprise linux hpc nodescope:eqversion:7

Trust: 0.3

vendor:redhatmodel:enterprise linux desktopscope:eqversion:7

Trust: 0.3

vendor:qemumodel:qemuscope:eqversion:0

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:7

Trust: 0.3

vendor:ibmmodel:powerkvmscope:eqversion:2.1

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:centosmodel:centosscope:eqversion:7

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:neversion:2.1.158

Trust: 0.3

sources: BID: 75273 // JVNDB: JVNDB-2015-004512 // CNNVD: CNNVD-201506-371 // NVD: CVE-2015-3214

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3214
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-3214
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201506-371
value: MEDIUM

Trust: 0.6

VULHUB: VHN-81175
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-3214
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-3214
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-81175
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-81175 // VULMON: CVE-2015-3214 // JVNDB: JVNDB-2015-004512 // CNNVD: CNNVD-201506-371 // NVD: CVE-2015-3214

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-81175 // JVNDB: JVNDB-2015-004512 // NVD: CVE-2015-3214

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201506-371

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201506-371

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004512

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-81175 // VULMON: CVE-2015-3214

PATCH

title:KVM: PIT: control word is write-onlyurl:https://github.com/torvalds/linux/commit/ee73f656a604d5aa9df86a97102e4e462dd79924

Trust: 0.8

title:Linux Kernel Archivesurl:http://www.kernel.org

Trust: 0.8

title:KVM: PIT: control word is write-onlyurl:http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924

Trust: 0.8

title:Main Pageurl:http://wiki.qemu.org/Main_Page

Trust: 0.8

title:Bug 1229640url:https://bugzilla.redhat.com/show_bug.cgi?id=1229640

Trust: 0.8

title:Linux kernel and QEMU‘pit_ioport_read()’ Fixes for function buffer error vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=179689

Trust: 0.6

title:Ubuntu Security Notice: qemu vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-2692-1

Trust: 0.1

title:Red Hat: CVE-2015-3214url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2015-3214

Trust: 0.1

title:Debian Security Advisories: DSA-3348-1 qemu -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=e77a95c04be0a28f98566f006db46f03

Trust: 0.1

title:Debian CVElist Bug Report Logs: qemu: CVE-2015-5225: ui: vnc: heap memory corruption in vnc_refresh_server_surfaceurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=d315b3f2df801c1586a4d3ea5f0ef1c4

Trust: 0.1

title:Debian CVElist Bug Report Logs: qemu: CVE-2015-5158: scsi stack buffer overflowurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=2bc68b0a8f94995d352f509d204ba98b

Trust: 0.1

title:Debian CVElist Bug Report Logs: qemu: CVE-2015-5166: Use after free in QEMU/Xen block unplug protocolurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=78f6b481a815feb050c6fe696b774caa

Trust: 0.1

title:Debian CVElist Bug Report Logs: qemu: CVE-2015-3214: i8254: out-of-bounds memory access in pit_ioport_read functionurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=3e5707b2974af878892901fb1518c885

Trust: 0.1

title:Debian CVElist Bug Report Logs: qemu: CVE-2015-5745: buffer overflow in virtio-serialurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=b661eddefc5e1edaa146807f1a72ab9d

Trust: 0.1

title:Debian CVElist Bug Report Logs: qemu: CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory accessurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=ac31639f0a78082f2e78528ea7e0203f

Trust: 0.1

title:Debian CVElist Bug Report Logs: qemu: CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guesturl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=0e14e001f6f939c9dca39f2c06ec9285

Trust: 0.1

title:cve_diff_checkerurl:https://github.com/lcatro/cve_diff_checker

Trust: 0.1

title:CVE-Studyurl:https://github.com/thdusdl1219/CVE-Study

Trust: 0.1

sources: VULMON: CVE-2015-3214 // JVNDB: JVNDB-2015-004512 // CNNVD: CNNVD-201506-371

EXTERNAL IDS

db:NVDid:CVE-2015-3214

Trust: 3.5

db:BIDid:75273

Trust: 2.1

db:SECTRACKid:1032598

Trust: 1.8

db:EXPLOIT-DBid:37990

Trust: 1.8

db:OPENWALLid:OSS-SECURITY/2015/06/25/7

Trust: 1.8

db:JVNDBid:JVNDB-2015-004512

Trust: 0.8

db:CNNVDid:CNNVD-201506-371

Trust: 0.7

db:PACKETSTORMid:133422

Trust: 0.2

db:PACKETSTORMid:132859

Trust: 0.2

db:PACKETSTORMid:132855

Trust: 0.2

db:PACKETSTORMid:132838

Trust: 0.2

db:PACKETSTORMid:132839

Trust: 0.2

db:VULHUBid:VHN-81175

Trust: 0.1

db:VULMONid:CVE-2015-3214

Trust: 0.1

db:PACKETSTORMid:134165

Trust: 0.1

sources: VULHUB: VHN-81175 // VULMON: CVE-2015-3214 // BID: 75273 // JVNDB: JVNDB-2015-004512 // PACKETSTORM: 132839 // PACKETSTORM: 132859 // PACKETSTORM: 132838 // PACKETSTORM: 132855 // PACKETSTORM: 133422 // PACKETSTORM: 134165 // CNNVD: CNNVD-201506-371 // NVD: CVE-2015-3214

REFERENCES

url:https://www.exploit-db.com/exploits/37990/

Trust: 1.9

url:http://www.securityfocus.com/bid/75273

Trust: 1.9

url:https://security.gentoo.org/glsa/201510-02

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2015-1507.html

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2015-1508.html

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2015-1512.html

Trust: 1.9

url:http://www.securitytracker.com/id/1032598

Trust: 1.8

url:http://www.debian.org/security/2015/dsa-3348

Trust: 1.8

url:http://www.openwall.com/lists/oss-security/2015/06/25/7

Trust: 1.8

url:https://www.mail-archive.com/qemu-devel%40nongnu.org/msg304138.html

Trust: 1.8

url:http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924

Trust: 1.8

url:http://mirror.linux.org.au/linux/kernel/v2.6/changelog-2.6.33

Trust: 1.8

url:https://bugzilla.redhat.com/show_bug.cgi?id=1229640

Trust: 1.8

url:https://github.com/torvalds/linux/commit/ee73f656a604d5aa9df86a97102e4e462dd79924

Trust: 1.8

url:https://support.lenovo.com/product_security/qemu

Trust: 1.8

url:https://support.lenovo.com/us/en/product_security/qemu

Trust: 1.8

url:https://www.arista.com/en/support/advisories-notices/security-advisories/1180-security-advisory-13

Trust: 1.8

url:https://access.redhat.com/security/cve/cve-2015-3214

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3214

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3214

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2015-5154

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2015-3214

Trust: 0.6

url:https://access.redhat.com/errata/rhsa-2015:1507

Trust: 0.6

url:https://access.redhat.com/errata/rhsa-2015:1508

Trust: 0.6

url:https://www.mail-archive.com/qemu-devel@nongnu.org/msg304138.html

Trust: 0.6

url:https://access.redhat.com/errata/rhsa-2015:1512

Trust: 0.6

url:http://wiki.qemu.org/main_page

Trust: 0.3

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2015-5154

Trust: 0.3

url:https://access.redhat.com/articles/11258

Trust: 0.3

url:https://access.redhat.com/security/team/contact/

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-5158

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/119.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://usn.ubuntu.com/2692-1/

Trust: 0.1

url:http://www.ubuntu.com/usn/usn-2692-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.15

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-5745

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-5225

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-5165

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-3214

Trust: 0.1

url:http://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-5154

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-3209

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-5158

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-3209

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

sources: VULHUB: VHN-81175 // VULMON: CVE-2015-3214 // BID: 75273 // JVNDB: JVNDB-2015-004512 // PACKETSTORM: 132839 // PACKETSTORM: 132859 // PACKETSTORM: 132838 // PACKETSTORM: 132855 // PACKETSTORM: 133422 // PACKETSTORM: 134165 // CNNVD: CNNVD-201506-371 // NVD: CVE-2015-3214

CREDITS

Matt Tait of Google's Project Zero.

Trust: 0.9

sources: BID: 75273 // CNNVD: CNNVD-201506-371

SOURCES

db:VULHUBid:VHN-81175
db:VULMONid:CVE-2015-3214
db:BIDid:75273
db:JVNDBid:JVNDB-2015-004512
db:PACKETSTORMid:132839
db:PACKETSTORMid:132859
db:PACKETSTORMid:132838
db:PACKETSTORMid:132855
db:PACKETSTORMid:133422
db:PACKETSTORMid:134165
db:CNNVDid:CNNVD-201506-371
db:NVDid:CVE-2015-3214

LAST UPDATE DATE

2024-08-14T13:11:47.612000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-81175date:2023-02-13T00:00:00
db:VULMONid:CVE-2015-3214date:2023-02-13T00:00:00
db:BIDid:75273date:2015-12-08T22:03:00
db:JVNDBid:JVNDB-2015-004512date:2015-09-01T00:00:00
db:CNNVDid:CNNVD-201506-371date:2023-04-10T00:00:00
db:NVDid:CVE-2015-3214date:2023-02-13T00:48:24.553

SOURCES RELEASE DATE

db:VULHUBid:VHN-81175date:2015-08-31T00:00:00
db:VULMONid:CVE-2015-3214date:2015-08-31T00:00:00
db:BIDid:75273date:2015-06-17T00:00:00
db:JVNDBid:JVNDB-2015-004512date:2015-09-01T00:00:00
db:PACKETSTORMid:132839date:2015-07-27T15:37:06
db:PACKETSTORMid:132859date:2015-07-29T01:13:01
db:PACKETSTORMid:132838date:2015-07-27T15:36:52
db:PACKETSTORMid:132855date:2015-07-29T00:57:08
db:PACKETSTORMid:133422date:2015-09-03T22:28:25
db:PACKETSTORMid:134165date:2015-11-02T16:49:11
db:CNNVDid:CNNVD-201506-371date:2015-06-23T00:00:00
db:NVDid:CVE-2015-3214date:2015-08-31T10:59:07.580