SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   QEMU Vendors:   QEMU.org
QEMU i8254 PIT Emulation Bug Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1032598
SecurityTracker URL:  http://securitytracker.com/id/1032598
CVE Reference:   CVE-2015-3214   (Links to External Site)
Date:  Jun 17 2015
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.3.0
Description:   A vulnerability was reported in QEMU. A local user on the guest system can obtain elevated privileges on the target host system.

A local privileged user on a guest system that has QEMU programmable interval timer (PIT) enabled [not the default configuration] can issue a specially crafted read request from the PIT Mode/Command register to obtain potentially sensitive information or cause memory corruption and execute arbitrary code on the target host system.

The vulnerability resides in the uint64_t pit_ioport_read(() function in '/hw/timer/i8254.c'.

Matt Tait of Google's Project Zero security team reported this vulnerability.

Impact:   A local privileged user on a guest system can obtain privileges on the target host system.
Solution:   The vendor has issued a source code fix. The proposed patch is available at:

https://www.mail-archive.com/qemu-devel@nongnu.org/msg304138.html

Vendor URL:  wiki.qemu.org/Main_Page (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 27 2015 (Red Hat Issues Fix) QEMU i8254 PIT Emulation Bug Lets Local Users Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Jul 27 2015 (Red Hat Issues Fix for Red Hat Enterprise Virtualization Hypervisor) QEMU i8254 PIT Emulation Bug Lets Local Users Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Virtualization.
Jul 28 2015 (CentOS Issues Fix) QEMU i8254 PIT Emulation Bug Lets Local Users Gain Elevated Privileges
CentOS has issued a fix for CentOS 7.
Jul 28 2015 (Oracle Issues Fix for Oracle Linux) QEMU i8254 PIT Emulation Bug Lets Local Users Gain Elevated Privileges
Oracle has issued a fix for Oracle Linux 7.
Jul 28 2015 (Ubuntu Issues Fix) QEMU i8254 PIT Emulation Bug Lets Local Users Gain Elevated Privileges
Ubuntu has issued a fix for Ubuntu 14.04 LTS and 15.04.



 Source Message Contents

Subject:  [oss-security] CVE-2015-3214 qemu: i8254: out-of-bounds memory access in pit_ioport_read function

Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index and potentially cause memory corruption
and/or minor information leak.

A privileged guest user in a guest with QEMU PIT emulation enabled could
potentially (tough unlikely) use this flaw to execute arbitrary code on
the host with the privileges of the hosting QEMU process.

Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT
emulation and are thus not vulnerable to this issue.

Acknowledgements:

Red Hat would like to thank Matt Tait of Google's Project Zero security
team for reporting this issue.

Upstream patch submission:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg304063.html

-- 
Petr Matousek / Red Hat Product Security
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC