CVE-2018-7550

Description

The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.08%• Percentile: 24%

Techniques & Countermeasures

• CWE-125•Out-of-bounds Read

  The product reads data past the end, or before the beginning, of the intended buffer.

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

• canonical•ubuntu_linux

  14.04 | 16.04 | 17.10 | 18.04

• debian•debian_linux

  7.0 | 8.0 | 9.0

• qemu•qemu

  ≤ 2.11.1

• redhat•enterprise_linux_desktop

  7.0

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_server_aus

  7.6 | 7.7

• redhat•enterprise_linux_server_eus

  7.5 | 7.6 | 7.7

• redhat•enterprise_linux_server_tus

  7.6 | 7.7

• redhat•enterprise_linux_workstation

  7.0

References (11)

• https://access.redhat.com/errata/RHSA-2018:1369
• https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html
• https://lists.debian.org/debian-lts-announce/2018/04/msg00016.html
• https://usn.ubuntu.com/3649-1/
• https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
• https://www.debian.org/security/2018/dsa-4213
• https://lists.debian.org/debian-lts-announce/2018/04/msg00015.html
• http://www.securityfocus.com/bid/103181
• https://bugzilla.redhat.com/show_bug.cgi?id=1549798
• https://access.redhat.com/errata/RHSA-2018:2462
• https://github.com/orangecertcc/security-research/security/advisories/GHSA-f49v-45qp-cv53