Vulnerabilities > CVE-2009-3616 - Use After Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_1_KVM-091113.NASL description This update of QEMU KVM fixes the following bugs : - CVE-2009-3616: CVSS v2 Base Score: 8.5 use-after-free bug in VNC code which might be used to execute code on the host system injected from the guest system - CVE-2009-3638: CVSS v2 Base Score: 7.2 integer overflow in kvm_dev_ioctl_get_supported_cpuid() - CVE-2009-3640: CVSS v2 Base Score: 2.1 update_cr8_intercept() NULL pointer dereference last seen 2020-06-01 modified 2020-06-02 plugin id 42865 published 2009-11-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42865 title openSUSE Security Update : kvm (kvm-1545) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update kvm-1545. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(42865); script_version("1.9"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2009-3616", "CVE-2009-3638", "CVE-2009-3640"); script_name(english:"openSUSE Security Update : kvm (kvm-1545)"); script_summary(english:"Check for the kvm-1545 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of QEMU KVM fixes the following bugs : - CVE-2009-3616: CVSS v2 Base Score: 8.5 use-after-free bug in VNC code which might be used to execute code on the host system injected from the guest system - CVE-2009-3638: CVSS v2 Base Score: 7.2 integer overflow in kvm_dev_ioctl_get_supported_cpuid() - CVE-2009-3640: CVSS v2 Base Score: 2.1 update_cr8_intercept() NULL pointer dereference" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=540247" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=547555" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=547624" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=549487" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=550072" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=550732" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=550917" ); script_set_attribute(attribute:"solution", value:"Update the affected kvm packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C"); script_cwe_id(20, 189, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm-kmp-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvm-kmp-trace"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.1", reference:"kvm-78.0.10.6-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"kvm-kmp-default-78.2.6.30.1_2.6.27.37_0.1-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"kvm-kmp-pae-78.2.6.30.1_2.6.27.37_0.1-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"kvm-kmp-trace-78.2.6.30.1_2.6.27.37_0.1-0.1.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "QEMU KVM"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_1_QEMU-091112.NASL description The VNC server of qemu was vulnerable to use-after-free bugs, that allowed the execution of code on the host system initiated from the guest system. This can be used to escape from the guest machine to the host machine. (CVE-2009-3616: CVSS v2 Base Score: 8.5) last seen 2020-06-01 modified 2020-06-02 plugin id 42860 published 2009-11-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42860 title openSUSE Security Update : qemu (qemu-1537) NASL family SuSE Local Security Checks NASL id SUSE_11_0_KVM-091113.NASL description This update of QEMU KVM fixes the following bugs : - CVE-2009-3616: CVSS v2 Base Score: 8.5 use-after-free bug in VNC code which might be used to execute code on the host system injected from the guest system - CVE-2009-3638: CVSS v2 Base Score: 7.2 integer overflow in kvm_dev_ioctl_get_supported_cpuid() - CVE-2009-3640: CVSS v2 Base Score: 2.1 update_cr8_intercept() NULL pointer dereference last seen 2020-06-01 modified 2020-06-02 plugin id 42864 published 2009-11-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42864 title openSUSE Security Update : kvm (kvm-1547) NASL family SuSE Local Security Checks NASL id SUSE_11_0_QEMU-091112.NASL description The VNC server of qemu was vulnerable to use-after-free bugs, that allowed the execution of code on the host system initiated from the guest system. This can be used to escape from the guest machine to the host machine. (CVE-2009-3616: CVSS v2 Base Score: 8.5) last seen 2020-06-01 modified 2020-06-02 plugin id 42859 published 2009-11-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42859 title openSUSE Security Update : qemu (qemu-1537) NASL family SuSE Local Security Checks NASL id SUSE_11_KVM-091116.NASL description This update of QEMU KVM fixes the following bugs : - use-after-free bug in VNC code which might be used to execute code on the host system injected from the guest system. (CVE-2009-3616: CVSS v2 Base Score: 8.5) - integer overflow in kvm_dev_ioctl_get_supported_cpuid(). (CVE-2009-3638: CVSS v2 Base Score: 7.2) - update_cr8_intercept() NULL pointer dereference. (CVE-2009-3640: CVSS v2 Base Score: 2.1) last seen 2020-06-01 modified 2020-06-02 plugin id 42867 published 2009-11-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42867 title SuSE 11 Security Update : KVM (SAT Patch Number 1553)
References
- http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5
- http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5
- http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331
- http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331
- http://marc.info/?l=qemu-devel&m=124324043812915
- http://marc.info/?l=qemu-devel&m=124324043812915
- http://rhn.redhat.com/errata/RHEA-2009-1272.html
- http://rhn.redhat.com/errata/RHEA-2009-1272.html
- http://www.openwall.com/lists/oss-security/2009/10/16/5
- http://www.openwall.com/lists/oss-security/2009/10/16/5
- http://www.openwall.com/lists/oss-security/2009/10/16/8
- http://www.openwall.com/lists/oss-security/2009/10/16/8
- http://www.securityfocus.com/bid/36716
- http://www.securityfocus.com/bid/36716
- https://bugzilla.redhat.com/show_bug.cgi?id=501131
- https://bugzilla.redhat.com/show_bug.cgi?id=501131
- https://bugzilla.redhat.com/show_bug.cgi?id=505641
- https://bugzilla.redhat.com/show_bug.cgi?id=505641
- https://bugzilla.redhat.com/show_bug.cgi?id=508567
- https://bugzilla.redhat.com/show_bug.cgi?id=508567