Fabrice Bellard QEMU 1.4.0/1.7.1 SMART EXECUTE OFFLINE Command hw/ide/core.c cmd_smart numeric error
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, was found in Fabrice Bellard QEMU 1.4.0/1.7.1. The affected element is the function cmd_smart of the file hw/ide/core.c of the component SMART EXECUTE OFFLINE Command. The manipulation results in numeric error.
This vulnerability was named CVE-2014-2894. There is no available exploit.
Applying a patch is advised to resolve this issue.
Details
A vulnerability, which was classified as critical, was found in Fabrice Bellard QEMU 1.4.0/1.7.1 (Virtualization Software). Affected is the function cmd_smart of the file hw/ide/core.c of the component SMART EXECUTE OFFLINE Command. The manipulation with an unknown input leads to a numeric error vulnerability. CWE is classifying the issue as CWE-189. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
The weakness was presented 04/12/2014 by Benoît Canet as [Qemu-devel] [PATCH for 2.0] ide: Correct improper smart self test count as confirmed posting (Mailing List). The advisory is shared for download at lists.nongnu.org. This vulnerability is traded as CVE-2014-2894 since 04/17/2014. The exploitability is told to be easy. The attack needs to be approached locally. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. The reason for this vulnerability is this part of code:
s->smart_selftest_count = 0;The advisory points out:
The counter being reseted to zero make the array index negative.
The vulnerability scanner Nessus provides a plugin with the ID 76737 (Oracle Linux 7 : qemu-kvm (ELSA-2014-0704)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 195460 (Ubuntu Security Notification for QEMU Vulnerabilities (USN-2182-1)).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at lists.nongnu.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
s->smart_selftest_count = 1;
The vulnerability is also documented in the databases at X-Force (92663), Tenable (76737), SecurityFocus (BID 66932†), Secunia (SA57945†) and Vulnerability Center (SBV-44645†). See VDB-13009, VDB-13019 and VDB-13266 for similar entries. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://bellard.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.9VulDB Meta Temp Score: 5.2
VulDB Base Score: 5.9
VulDB Temp Score: 5.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Numeric errorCWE: CWE-189
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 76737
Nessus Name: Oracle Linux 7 : qemu-kvm (ELSA-2014-0704)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 702932
OpenVAS Name: Debian Security Advisory DSA 2932-1 (qemu - security update
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: lists.nongnu.org
Timeline
04/12/2014 🔍04/12/2014 🔍
04/12/2014 🔍
04/16/2014 🔍
04/17/2014 🔍
04/17/2014 🔍
04/17/2014 🔍
04/23/2014 🔍
05/27/2014 🔍
07/24/2014 🔍
06/17/2021 🔍
Sources
Vendor: bellard.orgAdvisory: [Qemu-devel] [PATCH for 2.0] ide: Correct improper smart self test count
Researcher: Benoît Canet
Status: Confirmed
CVE: CVE-2014-2894 (🔍)
GCVE (CVE): GCVE-0-2014-2894
GCVE (VulDB): GCVE-100-13008
OVAL: 🔍
X-Force: 92663 - QEMU cmd_smart() code executon, Medium Risk
SecurityFocus: 66932 - QEMU IDE SMART Out of Bounds Local Privilege Escalation Vulnerability
Secunia: 57945 - Qemu IDE SMART EXECUTE OFFLINE Memory Corruption Vulnerability, Not Critical
Vulnerability Center: 44645 - QEMU <2.0 Local Code Execution in cmd_smart() when Executing IDE SMART Commands, High
See also: 🔍
Entry
Created: 04/17/2014 16:31Updated: 06/17/2021 13:19
Changes: 04/17/2014 16:31 (88), 05/29/2017 08:49 (3), 06/17/2021 13:19 (3)
Complete: 🔍
Cache ID: 216:AC7:103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.