CVE-2015-3209 : Heap-based buffer overflow in the PCNET controller in QEMU allows remote attacke

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.

Published 2015-06-15 15:59:00

Updated 2023-02-13 00:48:06

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowMemory CorruptionExecute code

Products affected by CVE-2015-3209

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 6.6
cpe:2.3:o:redhat:enterprise_linux_eus:6.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 5.0
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 6.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
Matching versions
Redhat » Openstack » Version: 5.0
cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 6.0
Redhat » Enterprise Linux Server Tus » Version: 6.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
Matching versions
Redhat » Virtualization » Version: 3.0
cpe:2.3:a:redhat:virtualization:3.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 6.0
Suse » Linux Enterprise Desktop » Version: 11 Update SP3
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
Matching versions
Suse » Linux Enterprise Desktop » Version: 12
cpe:2.3:o:suse:linux_enterprise_desktop:12:-:*:*:*:*:*:*
Matching versions
Suse » Linux Enterprise Server » Version: 10 Update SP4 Ltss Edition
cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:ltss:*:*:*
Matching versions
Suse » Linux Enterprise Server » Version: 11 Update SP1 Ltss Edition
cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:ltss:*:*:*
Matching versions
Suse » Linux Enterprise Server » Version: 11 Update SP2 Ltss Edition
cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:*
Matching versions
Suse » Linux Enterprise Server » Version: 11 Update SP3
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:-:*:*
Matching versions
Suse » Linux Enterprise Server » Version: 12
cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*
Matching versions
Suse » Linux Enterprise Software Development Kit » Version: 11 Update SP3
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*
Matching versions
Suse » Linux Enterprise Software Development Kit » Version: 12
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-:*:*:*:*:*:*
Matching versions
Suse » Linux Enterprise Debuginfo » Version: 11 Update SP2
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp2:*:*:*:*:*:*
Matching versions
Juniper » Junos Space
Versions up to, including, (<=) 15.1
cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 15.04
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.10
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 20
cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 21
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 22
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu
Versions up to, including, (<=) 2.3.1
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
Matching versions
Arista » EOS » Version: 4.15
cpe:2.3:o:arista:eos:4.15:*:*:*:*:*:*:*
Matching versions
Arista » EOS » Version: 4.12
cpe:2.3:o:arista:eos:4.12:*:*:*:*:*:*:*
Matching versions
Arista » EOS » Version: 4.13
cpe:2.3:o:arista:eos:4.13:*:*:*:*:*:*:*
Matching versions
Arista » EOS » Version: 4.14
cpe:2.3:o:arista:eos:4.14:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-3209

EPSS FAQ

21.50%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 95 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-3209

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2015-3209

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-3209

http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html

[security-announce] SUSE-SU-2015:1643-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.html

[security-announce] SUSE-SU-2015:1156-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00020.html

[security-announce] SUSE-SU-2015:1426-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html

[security-announce] SUSE-SU-2015:1042-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00027.html

[security-announce] SUSE-SU-2015:1152-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html

[security-announce] SUSE-SU-2015:1519-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.arista.com/en/support/advisories-notices/security-advisories/1180-security-advisory-13

Security Advisory 0013 - Arista
Third Party Advisory

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160677.html

[SECURITY] Fedora 21 Update: xen-4.4.2-6.fc21
Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698

Juniper Networks - 2015-10 Security Bulletin: Junos Space: Multiple Vulnerabilities in Junos Space
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-1189.html

RHSA-2015:1189 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160685.html

[SECURITY] Fedora 20 Update: xen-4.3.4-6.fc20
Third Party Advisory

CVEs referencing this url
http://www.debian.org/security/2015/dsa-3284

Debian -- Security Information -- DSA-3284-1 qemu
Third Party Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2630-1

USN-2630-1: QEMU vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
http://www.debian.org/security/2015/dsa-3285

Debian -- Security Information -- DSA-3285-1 qemu-kvm
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/75123

QEMU AMD PCnet Ethernet Emulation Heap Based Buffer Overflow Vulnerability
Third Party Advisory;VDB Entry
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html

[security-announce] SUSE-SU-2015:1045-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.html

[security-announce] SUSE-SU-2015:1157-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url
https://kb.juniper.net/JSA10783

Juniper Networks - 2017-04 Security Bulletin: Multiple Vulnerabilities in NorthStar Controller Application before version 2.1.0 Service Pack 1.
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201604-03

Xen: Multiple vulnerabilities (GLSA 201604-03) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1032545

Xen Heap Overflow in QEMU PCNET Controller Lets Local Guest Users Gain Privileges on the Host System - SecurityTracker
Third Party Advisory;VDB Entry
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160669.html

[SECURITY] Fedora 22 Update: xen-4.5.0-11.fc22
Third Party Advisory
http://xenbits.xen.org/xsa/advisory-135.html

XSA-135 - Xen Security Advisories
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1088.html

RHSA-2015:1088 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://security.gentoo.org/glsa/201510-02

QEMU: Arbitrary code execution (GLSA 201510-02) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-1087.html

RHSA-2015:1087 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1089.html

RHSA-2015:1089 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://www.debian.org/security/2015/dsa-3286

Debian -- Security Information -- DSA-3286-1 xen
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00014.html

[security-announce] SUSE-SU-2015:1206-1: important: Security update for
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-3209

Products affected by CVE-2015-3209

Exploit prediction scoring system (EPSS) score for CVE-2015-3209

CVSS scores for CVE-2015-3209

CWE ids for CVE-2015-3209

References for CVE-2015-3209