CVE-2009-3616 - OpenCVE

Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux Workstation Enterprise Linux Server
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*

References

Link	Resource
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5	Broken Link Exploit
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331	Broken Link Exploit
http://marc.info/?l=qemu-devel&m=124324043812915	Mailing List
http://rhn.redhat.com/errata/RHEA-2009-1272.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/10/16/5	Mailing List Patch
http://www.openwall.com/lists/oss-security/2009/10/16/8	Mailing List Patch
http://www.securityfocus.com/bid/36716	Broken Link Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=501131	Issue Tracking Patch
https://bugzilla.redhat.com/show_bug.cgi?id=505641	Exploit Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=508567	Issue Tracking

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2009-10-23T18:00:00

Updated: 2009-12-01T10:00:00

Reserved: 2009-10-09T00:00:00

Link: CVE-2009-3616

JSON object: View

NVD Information

Status : Analyzed

Published: 2009-10-23T18:30:00.390

Modified: 2024-02-15T21:06:20.270

Link: CVE-2009-3616

JSON object: View

Redhat Information

No data.

CWE

CWE-416

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-10-16T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-12-01T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"}, {"name": "[oss-security] 20091016 Re: QEMU VNC use-after-free", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"}, {"name": "[qemu-devel] 20090525 Re: [STABLE] [BUG] VNC mode can crash QEMU", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=qemu-devel&m=124324043812915"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"}, {"name": "36716", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36716"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"}, {"name": "[oss-security] 20091016 QEMU VNC use-after-free", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2009-3616", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=501131", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"}, {"name": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331", "refsource": "CONFIRM", "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"}, {"name": "[oss-security] 20091016 Re: QEMU VNC use-after-free", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"}, {"name": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5", "refsource": "CONFIRM", "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"}, {"name": "[qemu-devel] 20090525 Re: [STABLE] [BUG] VNC mode can crash QEMU", "refsource": "MLIST", "url": "http://marc.info/?l=qemu-devel&m=124324043812915"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=508567", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"}, {"name": "36716", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36716"}, {"name": "http://rhn.redhat.com/errata/RHEA-2009-1272.html", "refsource": "CONFIRM", "url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"}, {"name": "[oss-security] 20091016 QEMU VNC use-after-free", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=505641", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2009-3616", "datePublished": "2009-10-23T18:00:00", "dateReserved": "2009-10-09T00:00:00", "dateUpdated": "2009-12-01T10:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "27270035-8337-4B8E-8305-951D7063F2D1", "versionEndIncluding": "0.10.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "54D669D4-6D7E-449D-80C1-28FA44F06FFE", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "D0AC5CD5-6E58-433C-9EB3-6DFE5656463E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de uso anterior a la liberaci\u00f3n en vnc.c del servidor VNC en QEMU v0.10.6 y anteriores, permite a usuarios del sistema anfitri\u00f3n ejecutar c\u00f3digo de su elecci\u00f3n en el sistema hospedado, estableciendo una conexi\u00f3n desde el cliente VNC y a continuaci\u00f3n (1) desconectando durante la transferencia de datos, (2) enviando un mensaje utilizando tipos de datos enteros incorrectos, o (3) utilizando el protocolo Fuzzy Screen Mode, relativo a una doble liberaci\u00f3n de vulnerabilidades."}], "id": "CVE-2009-3616", "lastModified": "2024-02-15T21:06:20.270", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2009-10-23T18:30:00.390", "references": [{"source": "secalert@redhat.com", "tags": ["Broken Link", "Exploit"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Exploit"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"}, {"source": "secalert@redhat.com", "tags": ["Mailing List"], "url": "http://marc.info/?l=qemu-devel&m=124324043812915"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/36716"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}