PT-2017-3587 · Qemu+5 · Qemu+5

Daniel Berrange

Published

2017-12-12

Updated

2023-02-12

CVE-2017-15124

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions: QEMU versions 2.11.0 and older

Description: The issue is related to insufficient input validation in the VNC server implementation of the QEMU hardware emulator. It can be exploited by a remote attacker to cause a denial of service. A malicious remote VNC client can utilize this flaw to allocate growing memory, leading to a denial of service on the server host.

Recommendations: For QEMU versions 2.11.0 and older, consider restricting access to the VNC server implementation until a patch is available. As a temporary workaround, limiting the memory allocation for the VNC server or throttling the framebuffer updates sent to the client may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

RCE

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-770

Related Identifiers

ALT-PU-2018-1226

BDU:2018-00519

CESA-2018_0816

CVE-2017-15124

DSA-4213-1

OPENSUSE-SU-2018_0780-1

RHSA-2018:0816

RHSA-2018:1104

RHSA-2018:1113

RHSA-2018:3062

RHSA-2018_0816

RHSA-2018_3062

SUSE-SU-2018:0762-1

SUSE-SU-2018:0831-1

USN-3575-1

USN-3575-2

Affected Products

Alt Linux

Centos

Qemu

Red Hat

Suse

Ubuntu

PT-2017-3587 · Qemu+5 · Qemu+5

CVE-2017-15124

Weakness Enumeration

Related Identifiers

Affected Products

References · 133