Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Local
0

CVE-2016-1714

Disclosure Date: April 07, 2016
CVE-2016-1714 CVSS v3 Base Score: 8.1
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An out-of-bounds read/write flaw was discovered in the way QEMU’s Firmware Configuration device emulation processed certain firmware configurations. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance or, potentially, execute arbitrary code on the host with privileges of the QEMU process.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
8.1 High
Impact Score:
6
Exploitability Score:
1.4
Vector:
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Red Hat Enterprise Linux 6 2:0.12.1.2-2.479.el6_7.4
Red Hat Enterprise Linux 7 10:1.5.3-105.el7_2.3
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 2:0.12.1.2-2.479.el6_7.4
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 10:2.3.0-31.el7_2.7
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 10:2.3.0-31.el7_2.7
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 10:2.3.0-31.el7_2.7
RHEV 3.6 For IBM Power Systems 10:2.3.0-31.el7_2.7
RHEV 3.X Hypervisor and Agents for RHEL-6 2:0.12.1.2-2.479.el6_7.4
RHEV 3.X Hypervisor and Agents for RHEL-7 10:2.3.0-31.el7_2.7
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Red Hat

Products

  • Red Hat Enterprise Linux 6,
  • Red Hat Enterprise Linux 7,
  • Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6,
  • Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7,
  • Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7,
  • Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7,
  • RHEV 3.6 For IBM Power Systems,
  • RHEV 3.X Hypervisor and Agents for RHEL-6,
  • RHEV 3.X Hypervisor and Agents for RHEL-7

References

Canonical
CVE-2016-1714 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1714)
BID-80250 (http://www.securityfocus.com/bid/80250)
Advisory
[oss-security] 20160112 Re: CVE request Qemu: nvram: OOB r/w access in processing firmware configurations (http://www.openwall.com/lists/oss-security/2016/01/12/10)
http://rhn.redhat.com/errata/RHSA-2016-0083.html
http://rhn.redhat.com/errata/RHSA-2016-0085.html
http://rhn.redhat.com/errata/RHSA-2016-0086.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
[oss-security] 20160112 Re: Re: CVE request Qemu: nvram: OOB r/w access in processing firmware configurations (http://www.openwall.com/lists/oss-security/2016/01/12/11)
[oss-security] 20160111 CVE request Qemu: nvram: OOB r/w access in processing firmware configurations (http://www.openwall.com/lists/oss-security/2016/01/11/7)
SECTRACK-1034858 (http://www.securitytracker.com/id/1034858)
[Qemu-devel] 20160106 [PATCH v2 for v2.3.0] fw_cfg: add check to validate current entry value (https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00428.html)
http://rhn.redhat.com/errata/RHSA-2016-0081.html
GLSA-201604-01 (https://security.gentoo.org/glsa/201604-01)
DSA-3469 (http://www.debian.org/security/2016/dsa-3469)
DSA-3470 (http://www.debian.org/security/2016/dsa-3470)
http://rhn.redhat.com/errata/RHSA-2016-0082.html
http://rhn.redhat.com/errata/RHSA-2016-0087.html
http://rhn.redhat.com/errata/RHSA-2016-0084.html
DSA-3471 (http://www.debian.org/security/2016/dsa-3471)
http://rhn.redhat.com/errata/RHSA-2016-0088.html
Miscellaneous
https://access.redhat.com/errata/RHSA-2016:0084
https://access.redhat.com/errata/RHSA-2016:0086
https://access.redhat.com/errata/RHSA-2016:0087
https://access.redhat.com/errata/RHSA-2016:0088
https://access.redhat.com/errata/RHSA-2016:0081
https://access.redhat.com/errata/RHSA-2016:0082
https://access.redhat.com/errata/RHSA-2016:0083
https://access.redhat.com/errata/RHSA-2016:0085
https://access.redhat.com/security/cve/CVE-2016-1714
https://bugzilla.redhat.com/show_bug.cgi?id=1296060

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis