Vulnerabilities > CVE-2008-2004 - Information Exposure vulnerability in Qemu 0.9.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2008-2003.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Disable QEMU image format auto-detection (CVE-2008-2004) - Fix PVFB to validate frame buffer description - Fix PVFB to cope with bogus update requests - Fix QEMU buffer overflow (CVE-2007-5730) - Fix QEMU block device extents checking (CVE-2008-0928) - Fix FV O_DIRECT flushing last seen 2020-06-01 modified 2020-06-02 plugin id 79446 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79446 title OracleVM 2.1 : xen (OVMSA-2008-2003) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0194.NASL description Updated xen packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor last seen 2020-06-01 modified 2020-06-02 plugin id 43678 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43678 title CentOS 5 : xen (CESA-2008:0194) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-776-2.NASL description USN-776-1 fixed vulnerabilities in KVM. Due to an incorrect fix, a regression was introduced in Ubuntu 8.04 LTS that caused KVM to fail to boot virtual machines started via libvirt. This update fixes the problem. We apologize for the inconvenience. Avi Kivity discovered that KVM did not correctly handle certain disk formats. A local attacker could attach a malicious partition that would allow the guest VM to read files on the VM host. (CVE-2008-1945, CVE-2008-2004) Alfredo Ortega discovered that KVM last seen 2020-06-01 modified 2020-06-02 plugin id 38777 published 2009-05-14 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38777 title Ubuntu 8.04 LTS : kvm regression (USN-776-2) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_8950AC621D3011DD93880211060005DF.NASL description Secunia reports : A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to the last seen 2020-06-01 modified 2020-06-02 plugin id 32147 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32147 title FreeBSD : qemu -- 'drive_init()' Disk Format Security Bypass (8950ac62-1d30-11dd-9388-0211060005df) NASL family Scientific Linux Local Security Checks NASL id SL_20080513_XEN_ON_SL5_X.NASL description Note: Troy Dawson has tested this update on a machine hosting both paravirtualized and fully virtualized machines, both 32 bit and 64 bit. He did the update while all the machines were running, none of them had any problems. He also tried stopping, starting, and rebooting several of the machines. All without any problems. We tell you this because updating the xen package, while running virtual machines, can make you a little nervous. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor last seen 2020-06-01 modified 2020-06-02 plugin id 60398 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60398 title Scientific Linux Security Update : xen on SL5.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-162.NASL description Multiple vulnerabilities have been found in Qemu. Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to attempting to mark non-existent regions as dirty, aka the bitblt heap overflow. (CVE-2007-1320) Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 receive integer signedness error. (CVE-2007-1321) QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. (CVE-2007-1322) QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by aam 0x0, which triggers a divide-by-zero error. (CVE-2007-1366) The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 mtu heap overflow. (CVE-2007-5729) Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the net socket listen option, aka QEMU net socket heap overflow. (CVE-2007-5730) QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an overflow, via certain Windows executable programs, as demonstrated by qemu-dos.com. (CVE-2007-6227) Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. (CVE-2008-0928) Changing removable media in QEMU could trigger a bug similar to CVE-2008-2004, which would allow local guest users to read arbitrary files on the host by modifying the header of the image to identify a different format. (CVE-2008-1945) See the diskformat: parameter to the -usbdevice option. The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. (CVE-2008-2004) See the -format option. The updated packages have been patched to fix these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37509 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37509 title Mandriva Linux Security Advisory : qemu (MDVSA-2008:162) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0194.NASL description Updated xen packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor last seen 2020-06-01 modified 2020-06-02 plugin id 32354 published 2008-05-16 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32354 title RHEL 5 : xen (RHSA-2008:0194) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-776-1.NASL description Avi Kivity discovered that KVM did not correctly handle certain disk formats. A local attacker could attach a malicious partition that would allow the guest VM to read files on the VM host. (CVE-2008-1945, CVE-2008-2004) Alfredo Ortega discovered that KVM last seen 2020-06-01 modified 2020-06-02 plugin id 38759 published 2009-05-13 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38759 title Ubuntu 8.04 LTS / 8.10 : kvm vulnerabilities (USN-776-1) NASL family SuSE Local Security Checks NASL id SUSE_QEMU-5270.NASL description Local attackers could use raw formatted disk images to access the hosting environment. CVE-2008-2004 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 33163 published 2008-06-12 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33163 title openSUSE 10 Security Update : qemu (qemu-5270) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0194.NASL description From Red Hat Security Advisory 2008:0194 : Updated xen packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor last seen 2020-06-01 modified 2020-06-02 plugin id 67671 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67671 title Oracle Linux 5 : xen (ELSA-2008-0194)
Oval
| accepted | 2013-04-29T04:10:49.864-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:11021 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://lists.gnu.org/archive/html/qemu-devel/2008-04/msg00675.html
- http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4277
- http://www.securityfocus.com/bid/29101
- http://secunia.com/advisories/30111
- http://www.redhat.com/support/errata/RHSA-2008-0194.html
- http://secunia.com/advisories/29963
- http://www.novell.com/linux/security/advisories/2008_13_sr.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:162
- http://secunia.com/advisories/30717
- http://secunia.com/advisories/29129
- http://www.ubuntu.com/usn/usn-776-1
- http://secunia.com/advisories/35062
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42268
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11021