Vulnerabilities > CVE-2009-3616 - Resource Management Errors vulnerability in Qemu

047910
CVSS 8.5 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
qemu
CWE-399
nessus

Summary

Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_KVM-091113.NASL
    descriptionThis update of QEMU KVM fixes the following bugs : - CVE-2009-3616: CVSS v2 Base Score: 8.5 use-after-free bug in VNC code which might be used to execute code on the host system injected from the guest system - CVE-2009-3638: CVSS v2 Base Score: 7.2 integer overflow in kvm_dev_ioctl_get_supported_cpuid() - CVE-2009-3640: CVSS v2 Base Score: 2.1 update_cr8_intercept() NULL pointer dereference
    last seen2020-06-01
    modified2020-06-02
    plugin id42865
    published2009-11-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42865
    titleopenSUSE Security Update : kvm (kvm-1545)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update kvm-1545.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42865);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:34");
    
      script_cve_id("CVE-2009-3616", "CVE-2009-3638", "CVE-2009-3640");
    
      script_name(english:"openSUSE Security Update : kvm (kvm-1545)");
      script_summary(english:"Check for the kvm-1545 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of QEMU KVM fixes the following bugs :
    
      - CVE-2009-3616: CVSS v2 Base Score: 8.5 use-after-free
        bug in VNC code which might be used to execute code on
        the host system injected from the guest system
    
      - CVE-2009-3638: CVSS v2 Base Score: 7.2 integer overflow
        in kvm_dev_ioctl_get_supported_cpuid() 
    
      - CVE-2009-3640: CVSS v2 Base Score: 2.1
        update_cr8_intercept() NULL pointer dereference"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=540247"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=547555"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=547624"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=549487"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=550072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=550732"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=550917"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected kvm packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
      script_cwe_id(20, 189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm-kmp-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm-kmp-trace");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.1", reference:"kvm-78.0.10.6-0.1.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"kvm-kmp-default-78.2.6.30.1_2.6.27.37_0.1-0.1.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"kvm-kmp-pae-78.2.6.30.1_2.6.27.37_0.1-0.1.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"kvm-kmp-trace-78.2.6.30.1_2.6.27.37_0.1-0.1.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "QEMU KVM");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_QEMU-091112.NASL
    descriptionThe VNC server of qemu was vulnerable to use-after-free bugs, that allowed the execution of code on the host system initiated from the guest system. This can be used to escape from the guest machine to the host machine. (CVE-2009-3616: CVSS v2 Base Score: 8.5)
    last seen2020-06-01
    modified2020-06-02
    plugin id42860
    published2009-11-20
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42860
    titleopenSUSE Security Update : qemu (qemu-1537)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_KVM-091113.NASL
    descriptionThis update of QEMU KVM fixes the following bugs : - CVE-2009-3616: CVSS v2 Base Score: 8.5 use-after-free bug in VNC code which might be used to execute code on the host system injected from the guest system - CVE-2009-3638: CVSS v2 Base Score: 7.2 integer overflow in kvm_dev_ioctl_get_supported_cpuid() - CVE-2009-3640: CVSS v2 Base Score: 2.1 update_cr8_intercept() NULL pointer dereference
    last seen2020-06-01
    modified2020-06-02
    plugin id42864
    published2009-11-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42864
    titleopenSUSE Security Update : kvm (kvm-1547)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_QEMU-091112.NASL
    descriptionThe VNC server of qemu was vulnerable to use-after-free bugs, that allowed the execution of code on the host system initiated from the guest system. This can be used to escape from the guest machine to the host machine. (CVE-2009-3616: CVSS v2 Base Score: 8.5)
    last seen2020-06-01
    modified2020-06-02
    plugin id42859
    published2009-11-20
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42859
    titleopenSUSE Security Update : qemu (qemu-1537)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KVM-091116.NASL
    descriptionThis update of QEMU KVM fixes the following bugs : - use-after-free bug in VNC code which might be used to execute code on the host system injected from the guest system. (CVE-2009-3616: CVSS v2 Base Score: 8.5) - integer overflow in kvm_dev_ioctl_get_supported_cpuid(). (CVE-2009-3638: CVSS v2 Base Score: 7.2) - update_cr8_intercept() NULL pointer dereference. (CVE-2009-3640: CVSS v2 Base Score: 2.1)
    last seen2020-06-01
    modified2020-06-02
    plugin id42867
    published2009-11-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42867
    titleSuSE 11 Security Update : KVM (SAT Patch Number 1553)