Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv2

CVE-2015-5154

Published: 12/08/2015 Updated: 13/02/2023
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 641
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Xen

Vulnerability Summary

Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and previous versions, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.

Vulnerable Product Search on Vulmon Subscribe to Product

xen xen

xen xen 4.5.1

suse linux enterprise server 11

suse linux enterprise desktop 11

suse linux enterprise software development kit 12

suse linux enterprise software development kit 11

suse linux enterprise desktop 12

suse linux enterprise debuginfo 11

suse suse linux enterprise server 12

fedoraproject fedora 22

fedoraproject fedora 23

fedoraproject fedora 21

qemu qemu

Vendor Advisories

Ubuntu Security Notice: qemu vulnerabilities
Several security issues were fixed in QEMU ...
Debian Security Advisories: DSA-3348-1 qemu -- security update
Several vulnerabilities were discovered in qemu, a fast processor emulator CVE-2015-3214 Matt Tait of Google's Project Zero security team discovered a flaw in the QEMU i8254 PIT emulation A privileged guest user in a guest with QEMU PIT emulation enabled could potentially use this flaw to execute arbitrary code on the host with t ...
Debian CVElist Bug Report Logs: qemu: CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol
Debian Bug report logs - #794611 qemu: CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 4 Aug 2015 20:27:02 UTC Severity: important ...
Debian CVElist Bug Report Logs: qemu: CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access
Debian Bug report logs - #793811 qemu: CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 27 Jul 2015 18:12:02 UTC Severity: g ...
Debian CVElist Bug Report Logs: qemu: CVE-2015-3214: i8254: out-of-bounds memory access in pit_ioport_read function
Debian Bug report logs - #795461 qemu: CVE-2015-3214: i8254: out-of-bounds memory access in pit_ioport_read function Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 14 Aug 2015 08:12:10 UTC Severi ...
Debian CVElist Bug Report Logs: qemu: CVE-2015-5158: scsi stack buffer overflow
Debian Bug report logs - #793388 qemu: CVE-2015-5158: scsi stack buffer overflow Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 23 Jul 2015 15:06:03 UTC Severity: important Tags: patch, security, ...
Debian CVElist Bug Report Logs: qemu: CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest
Debian Bug report logs - #794610 qemu: CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 4 Aug 2015 20:24:02 UTC Severi ...
Debian CVElist Bug Report Logs: qemu: CVE-2015-5745: buffer overflow in virtio-serial
Debian Bug report logs - #795087 qemu: CVE-2015-5745: buffer overflow in virtio-serial Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 10 Aug 2015 13:24:06 UTC Severity: normal Tags: fixed-upstrea ...
Debian CVElist Bug Report Logs: qemu: CVE-2015-5225: ui: vnc: heap memory corruption in vnc_refresh_server_surface
Debian Bug report logs - #796465 qemu: CVE-2015-5225: ui: vnc: heap memory corruption in vnc_refresh_server_surface Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 21 Aug 2015 22:12:02 UTC Severit ...
Red Hat: CVE-2015-5154
A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest ...

Recent Articles

Xen reports new guest-host escape, this time through CD-ROMs
The Register • Simon Sharwood • 28 Jul 2015

Don't stick your head in the sand, patch QEMU

The Xen Project has reported another guest/host escape bug, its third for the year including the VENOM vuln and the XSA-135 SNAFU. The new vuln glories in the name XSA-138, aka CVE-2015-5154 and means “An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.” “All Xen syst...

Read more...

References

CWE-119http://support.citrix.com/article/CTX201593http://xenbits.xen.org/xsa/advisory-138.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00041.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163658.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163681.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163472.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00042.htmlhttps://security.gentoo.org/glsa/201510-02http://www.securityfocus.com/bid/76048http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1512.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1508.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1507.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00022.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00018.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00017.htmlhttps://security.gentoo.org/glsa/201604-03http://www.securitytracker.com/id/1033074http://www.debian.org/security/2015/dsa-3348http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00019.htmlhttps://nvd.nist.govhttps://usn.ubuntu.com/2692-1/https://access.redhat.com/security/cve/cve-2015-5154
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
man-in-the-middleCVE-2024-34558CVE-2024-32674CVE-2024-34351XPath injectionCVE-2023-45866CVE-2024-25528CVE-2024-25517path traversal
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook