Vulnerability Details : CVE-2016-3710
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
Vulnerability category: OverflowExecute code
Products affected by CVE-2016-3710
- cpe:2.3:a:hp:helion_openstack:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:helion_openstack:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:helion_openstack:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:hp:helion_openstack:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:virtualization:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:5:-:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:6:-:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:vm_server:3.2:*:*:*:*:*:x86:*
- cpe:2.3:a:oracle:vm_server:3.3:*:*:*:*:*:x86:*
- cpe:2.3:a:oracle:vm_server:3.4:*:*:*:*:*:x86:*
- cpe:2.3:a:citrix:xenserver:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.6.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.6.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.6.0:rc4:*:*:*:*:*:*
Threat overview for CVE-2016-3710
Top countries where our scanners detected CVE-2016-3710
Top open port discovered on systems with this issue
8200
IPs affected by CVE-2016-3710 13
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-3710!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-3710
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-3710
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
2.0
|
6.0
|
NIST |
CWE ids for CVE-2016-3710
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-3710
-
http://www.openwall.com/lists/oss-security/2016/05/09/3
oss-security - CVE-2016-3710 Qemu: vga: out-of-bounds r/w access issueMailing List;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-0997.html
RHSA-2016:0997 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1002.html
RHSA-2016:1002 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164862
HPSBGN03620 rev.1 - HPE Helion OpenStack using OpenSSL and QEMU, Remote Unauthorized Data AccessThird Party Advisory;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-0725.html
RHSA-2016:0725 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1001.html
RHSA-2016:1001 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://support.citrix.com/article/CTX212736
Citrix XenServer Multiple Security UpdatesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1943.html
RHSA-2016:1943 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2974-1
USN-2974-1: QEMU vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://xenbits.xen.org/xsa/advisory-179.html
XSA-179 - Xen Security AdvisoriesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-0999.html
RHSA-2016:0999 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Linux Bulletin - October 2016Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2016:1224
RHSA-2016:1224 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1019.html
RHSA-2016:1019 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Oracle Linux Bulletin - April 2016Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-0724.html
RHSA-2016:0724 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1035794
Xen Qemu VGA Module Bugs Let Local Users on the Guest Deny Service on the Guest or Gain Elevated Privileges on the Host System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg01197.html
[Qemu-devel] [PULL 1/5] vga: fix banked access bounds checking (CVE-2016Mailing List;Patch;Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
Oracle VM Server for x86 Bulletin - July 2016Third Party Advisory
-
http://www.debian.org/security/2016/dsa-3573
Debian -- Security Information -- DSA-3573-1 qemuThird Party Advisory
-
http://www.securityfocus.com/bid/90316
QEMU CVE-2016-3710 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2016-1000.html
RHSA-2016:1000 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to