CVE-2015-3209

CVSS V2 High 7.5 CVSS V3 None
Description
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
Overview
  • CVE ID
  • CVE-2015-3209
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2015-06-15T15:59:00
  • Last Modified Date
  • 2023-02-13T00:48:06
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:* 1 OR 2.3.1
AND
cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:* 1 OR 15.1
AND
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_eus:6.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:redhat:virtualization:3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp2:*:*:*:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_desktop:12:-:*:*:*:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:ltss:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:ltss:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:-:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:* 1 OR
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:arista:eos:4.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:arista:eos:4.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:arista:eos:4.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:arista:eos:4.15:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
References
Reference URL Reference Tags
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698 Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160669.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160677.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160685.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00027.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00014.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00020.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1087.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1088.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1089.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1189.html Third Party Advisory
http://www.debian.org/security/2015/dsa-3284 Third Party Advisory
http://www.debian.org/security/2015/dsa-3285 Third Party Advisory
http://www.debian.org/security/2015/dsa-3286 Third Party Advisory
http://www.securityfocus.com/bid/75123 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1032545 Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2630-1 Third Party Advisory
http://xenbits.xen.org/xsa/advisory-135.html Third Party Advisory
https://access.redhat.com/errata/RHSA-2015:1087
https://access.redhat.com/errata/RHSA-2015:1088
https://access.redhat.com/errata/RHSA-2015:1089
https://access.redhat.com/errata/RHSA-2015:1189
https://access.redhat.com/security/cve/CVE-2015-3209
https://bugzilla.redhat.com/show_bug.cgi?id=1225882
https://kb.juniper.net/JSA10783 Third Party Advisory
https://security.gentoo.org/glsa/201510-02 Third Party Advisory
https://security.gentoo.org/glsa/201604-03 Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/1180-security-advisory-13 Third Party Advisory
History
Created Old Value New Value Data Type Notes
2022-05-10 06:33:01 Added to TrackCVE
2022-12-02 05:05:56 2015-06-15T15:59Z 2015-06-15T15:59:00 CVE Published Date updated
2022-12-02 05:05:56 2022-02-11T05:40:12 CVE Modified Date updated
2022-12-02 05:05:56 Analyzed Vulnerability Status updated
2023-02-02 17:05:00 2023-02-02T15:16:36 CVE Modified Date updated
2023-02-02 17:05:00 Analyzed Modified Vulnerability Status updated
2023-02-02 17:05:01 Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. Description updated
2023-02-02 17:05:05 References updated
2023-02-13 01:05:58 2023-02-13T00:48:06 CVE Modified Date updated
2023-02-13 01:05:58 A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. Description updated