CVE-2016-2392 - OpenCVE

The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:2.5.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::

References

Link	Resource
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=80eecda8e5d09c442c24307f340840a5b70ea3b9
http://lists.nongnu.org/archive/html/qemu-stable/2016-03/msg00064.html	Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/02/16/7
http://www.securityfocus.com/bid/83274
http://www.ubuntu.com/usn/USN-2974-1
https://bugzilla.redhat.com/show_bug.cgi?id=1302299
https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg02553.html	Vendor Advisory
https://security.gentoo.org/glsa/201604-01

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2016-06-16T18:00:00

Updated: 2018-12-01T10:57:01

Reserved: 2016-02-16T00:00:00

Link: CVE-2016-2392

JSON object: View

NVD Information

Status : Modified

Published: 2016-06-16T18:59:04.640

Modified: 2023-02-13T04:50:05.473

Link: CVE-2016-2392

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-01T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "83274", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/83274"}, {"name": "[qemu-devel] 20160211 [Qemu-devel] [PATCH] usb: check USB configuration descriptor object", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg02553.html"}, {"name": "[oss-security] 20160216 CVE request Qemu: usb: null pointer dereference in remote NDIS control message handling", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/02/16/7"}, {"name": "GLSA-201604-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201604-01"}, {"name": "USN-2974-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2974-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=80eecda8e5d09c442c24307f340840a5b70ea3b9"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302299"}, {"name": "[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"}, {"name": "[qemu-stable] 20160329 [Qemu-stable] [ANNOUNCE] QEMU 2.5.1 Stable released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.nongnu.org/archive/html/qemu-stable/2016-03/msg00064.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-2392", "datePublished": "2016-06-16T18:00:00", "dateReserved": "2016-02-16T00:00:00", "dateUpdated": "2018-12-01T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "25A6B764-D4E8-4A14-A825-C7B8569AE847", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet."}, {"lang": "es", "value": "La funci\u00f3n is_rndis en el dispositivo de emulaci\u00f3n USB Net (hw/usb/dev-network.c) en QEMU en versiones anteriores a 2.5.1 no valida correctamente objetos descriptores de configuraci\u00f3n USB, lo que permite a administradores locales del SO invitado provocar una denegaci\u00f3n de servicio (referencia a puntero NULL y ca\u00edda del proceso QEMU) a trav\u00e9s de vectores que involucran un paquete de mensajes de control remoto de NDIS."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/476.html\">CWE-476: NULL Pointer Dereference</a>", "id": "CVE-2016-2392", "lastModified": "2023-02-13T04:50:05.473", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-06-16T18:59:04.640", "references": [{"source": "secalert@redhat.com", "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=80eecda8e5d09c442c24307f340840a5b70ea3b9"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://lists.nongnu.org/archive/html/qemu-stable/2016-03/msg00064.html"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2016/02/16/7"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/83274"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2974-1"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302299"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg02553.html"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201604-01"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}