CVE-2016-2538 - OpenCVE

Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

References

Link	Resource
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=fe3c546c5ff2a6210f9a4d8561cc64051ca8603e
http://lists.nongnu.org/archive/html/qemu-stable/2016-03/msg00064.html
http://www.openwall.com/lists/oss-security/2016/02/22/3
http://www.securityfocus.com/bid/83336
http://www.ubuntu.com/usn/USN-2974-1
https://bugzilla.redhat.com/show_bug.cgi?id=1303120
https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03658.html
https://security.gentoo.org/glsa/201604-01

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2016-06-16T18:00:00

Updated: 2018-12-01T10:57:01

Reserved: 2016-02-23T00:00:00

Link: CVE-2016-2538

JSON object: View

NVD Information

Status : Modified

Published: 2016-06-16T18:59:06.093

Modified: 2023-02-12T23:17:38.480

Link: CVE-2016-2538

JSON object: View

Redhat Information

No data.

CWE

CWE-189

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-02-16T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-01T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "83336", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/83336"}, {"name": "[qemu-devel] 20160216 [Qemu-devel] [PATCH 2/2] usb: check RNDIS buffer offsets & length", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03658.html"}, {"name": "GLSA-201604-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201604-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=fe3c546c5ff2a6210f9a4d8561cc64051ca8603e"}, {"name": "USN-2974-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2974-1"}, {"name": "[oss-security] 20160222 CVE request Qemu: usb: integer overflow in remote NDIS control message handling", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/02/22/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1303120"}, {"name": "[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"}, {"name": "[qemu-stable] 20160329 [Qemu-stable] [ANNOUNCE] QEMU 2.5.1 Stable released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.nongnu.org/archive/html/qemu-stable/2016-03/msg00064.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-2538", "datePublished": "2016-06-16T18:00:00", "dateReserved": "2016-02-23T00:00:00", "dateUpdated": "2018-12-01T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "585C8283-F180-4305-BFA0-B125754DFCC6", "versionEndIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de desbordamiento de entero en el dispositivo de emulaci\u00f3n USB Net (hw/usb/dev-network.c) en QEMU en versiones anteriores a 2.5.1 permite a administradores locales del SO invitado provocar una denegaci\u00f3n de servicio (ca\u00edda del proceso QEMU) u obtener informaci\u00f3n sensible de la memoria del anfitri\u00f3n a trav\u00e9s de un paquete de mensajes de control remoto de NDIS que no es manjeado correctamente en las funciones (1) rndis_query_response, (2) rndis_set_response o (3) usb_net_handle_dataout."}], "id": "CVE-2016-2538", "lastModified": "2023-02-12T23:17:38.480", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-06-16T18:59:06.093", "references": [{"source": "secalert@redhat.com", "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=fe3c546c5ff2a6210f9a4d8561cc64051ca8603e"}, {"source": "secalert@redhat.com", "url": "http://lists.nongnu.org/archive/html/qemu-stable/2016-03/msg00064.html"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2016/02/22/3"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/83336"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2974-1"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1303120"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"}, {"source": "secalert@redhat.com", "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03658.html"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201604-01"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}], "source": "nvd@nist.gov", "type": "Primary"}]}