ID CVE-2016-3710
Summary The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
References
Vulnerable Configurations
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • cpe:2.3:a:hp:helion_openstack:2.0
    cpe:2.3:a:hp:helion_openstack:2.0
  • cpe:2.3:a:hp:helion_openstack:2.1
    cpe:2.3:a:hp:helion_openstack:2.1
  • cpe:2.3:a:hp:helion_openstack:2.1.2
    cpe:2.3:a:hp:helion_openstack:2.1.2
  • cpe:2.3:a:hp:helion_openstack:2.1.4
    cpe:2.3:a:hp:helion_openstack:2.1.4
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • QEMU
    cpe:2.3:a:qemu:qemu
CVSS
Base: 7.2 (as of 09-09-2016 - 09:25)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0997.NASL
    description From Red Hat Security Advisory 2016:0997 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91211
    published 2016-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91211
    title Oracle Linux 6 : qemu-kvm (ELSA-2016-0997)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0724.NASL
    description An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91019
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91019
    title CentOS 7 : qemu-kvm (CESA-2016:0724)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160510_QEMU_KVM_ON_SL6_X.NASL
    description Security Fix(es) : - An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 91542
    published 2016-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91542
    title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1224.NASL
    description An update for qemu-kvm-rhev is now available for RHEV-H and Agents for RHEL-6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations using I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91632
    published 2016-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91632
    title RHEL 6 : qemu-kvm-rhev (RHSA-2016:1224)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0089.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0089 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 92601
    published 2016-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92601
    title OracleVM 3.3 : xen (OVMSA-2016-0089)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160927_KVM_ON_SL5_X.NASL
    description Security Fix(es) : - An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations using I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) - Quick Emulator(QEMU) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement results in unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 93794
    published 2016-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93794
    title Scientific Linux Security Update : kvm on SL5.x x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0997.NASL
    description An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91172
    published 2016-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91172
    title CentOS 6 : qemu-kvm (CESA-2016:0997)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0724.NASL
    description An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91035
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91035
    title RHEL 7 : qemu-kvm (RHSA-2016:0724)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0724.NASL
    description From Red Hat Security Advisory 2016:0724 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91031
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91031
    title Oracle Linux 7 : qemu-kvm (ELSA-2016-0724)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160509_QEMU_KVM_ON_SL7_X.NASL
    description Security Fix(es) : - An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 91042
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91042
    title Scientific Linux Security Update : qemu-kvm on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0997.NASL
    description An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91038
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91038
    title RHEL 6 : qemu-kvm (RHSA-2016:0997)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0725.NASL
    description An update for qemu-kvm-rhev is now available for Red Hat Enterprise Virtualization. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 117311
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117311
    title RHEL 7 : qemu-kvm-rhev (RHSA-2016:0725)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-A3298E39F7.NASL
    description - CVE-2016-3710: incorrect bounds checking in vga (bz #1334345) - CVE-2016-3712: out of bounds read in vga (bz #1334342) - Fix USB redirection (bz #1330221) - CVE-2016-4037: infinite loop in usb ehci (bz #1328080) - CVE-2016-4001: buffer overflow in stellaris net (bz #1325885) - CVE-2016-2858: rng stack corruption (bz #1314677) - CVE-2016-2391: ohci: crash via multiple timers (bz #1308881) - CVE-2016-2198: ehci: NULL pointer dereference (bz #1303134) - Fix ./configure with ccache Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92135
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92135
    title Fedora 22 : 2:qemu (2016-a3298e39f7)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-1943.NASL
    description An update for kvm is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Security Fix(es) : * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations using I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) * Quick Emulator(QEMU) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement results in unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting CVE-2016-3710 and hongzhenhao (Marvel Team) for reporting CVE-2016-5403.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93778
    published 2016-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93778
    title CentOS 5 : kvm (CESA-2016:1943)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0081.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0081 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91756
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91756
    title OracleVM 3.2 : xen (OVMSA-2016-0081)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-540.NASL
    description Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2016-3710 Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds read and write flaw in the QEMU VGA module. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2016-3712 Zuozhi Fzz of Alibaba Inc discovered potential integer overflow or out-of-bounds read access issues in the QEMU VGA module. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). For Debian 7 'Wheezy', these problems have been fixed in version 1.1.2+dfsg-6+deb7u13. We recommend that you upgrade your qemu packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 91920
    published 2016-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91920
    title Debian DLA-540-1 : qemu security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-A21B2CB7A0.NASL
    description create link to /usr/bin/qemu-system-i386 from /usr/lib/xen/bin for back compatibility and for virt-manager ---- qemu-kvm: Integer overflow in SDL when creating too wide screen, QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds check [XSA-179, CVE-2016-3710, CVE-2016-3712] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92134
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92134
    title Fedora 24 : xen (2016-a21b2cb7a0)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-539.NASL
    description