CVE-2007-2893
published 2007-05-30CVE-2007-2893: Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest…
PriorityP431high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.46%
36.6th percentile
Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bochs_project | bochs | — | — |
| bochs_project | bochs | >= 0 < 2.3+20070705-1 | 2.3+20070705-1 |
| bochs_project | bochs | >= 0 < 2.3+20070705-1 | 2.3+20070705-1 |
| bochs_project | bochs | >= 0 < 2.3+20070705-1 | 2.3+20070705-1 |
| bochs_project | bochs | >= 0 < 2.3+20070705-1 | 2.3+20070705-1 |
| debian | bochs | < bochs 2.3+20070705-1 (bookworm) | bochs 2.3+20070705-1 (bookworm) |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2LOW
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4f58-4q55-p757: Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k
ghsa_unreviewed·2022-05-01
CVE-2007-2893 [HIGH] CWE-119 GHSA-4f58-4q55-p757: Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k
Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
OSV
CVE-2007-2893: Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k
osv·2007-05-30·CVSS 7.2
CVE-2007-2893 [HIGH] CVE-2007-2893: Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k
Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Red Hat
xen NE2000 RX Frame Heap Overflow
vendor_redhat·2007-04-20·CVSS 7.2
CVE-2007-2893 [HIGH] xen NE2000 RX Frame Heap Overflow
xen NE2000 RX Frame Heap Overflow
Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Statement: Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5.
Debian
CVE-2007-2893: bochs - Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc ...
vendor_debian·2007·CVSS 7.2
CVE-2007-2893 [HIGH] CVE-2007-2893: bochs - Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc ...
Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Scope: local
bookworm: resolved (fixed in 2.3+20070705-1)
bullseye: resolved (fixed in 2.3+20070705-1)
forky: resolved (fixed in 2.3+20070705-1)
sid: resolved (fixed in 2.3+20070705-1)
trixie: resolved (fixed in 2.3+20070705-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-2894: bochs guest OS local user DoS
bugzilla·2007-05-30·CVSS 7.2
CVE-2007-2894 [HIGH] CVE-2007-2894: bochs guest OS local user DoS
CVE-2007-2894: bochs guest OS local user DoS
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894
"The emulated floppy disk controller in Bochs 2.3 allows local users of the
guest operating system to cause a denial of service (virtual machine crash) via
unspecified vectors, resulting in a divide-by-zero error."
Discussion:
I've contacted upstream about this, awaiting their response.
---
Since upstream isn't making any progress with regards to this, I've investigated
this a bit further.
This CVS stems from someone doing virtual machine / pc research and the original
report mentions not one but 2 vulnerabilities:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894
2893 is a reproducible, most likely exploitable, buffer overflow in the ne20
Bugzilla
CVE-2007-2893 xen NE2000 RX Frame Heap Overflow
bugzilla·2007-04-20·CVSS 7.2
CVE-2007-2893 [HIGH] CVE-2007-2893 xen NE2000 RX Frame Heap Overflow
CVE-2007-2893 xen NE2000 RX Frame Heap Overflow
A large value in the TXCNT register to exceed the available memory on
the device, this allows an attacker with root privileges in the guest
to poke unexpected data into the device, which results in a complete
compromise of the bochs process (see bx_ne2k_c::rx_frame(), where
s.mem is 32768 bytes, and values up to 0xffff can be inserted into
parameter iolen via the TXCNT register)
Discussion:
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclu
http://bugs.gentoo.org/show_bug.cgi?id=188148http://osvdb.org/36799http://secunia.com/advisories/25470http://secunia.com/advisories/26364http://secunia.com/advisories/27715http://security.gentoo.org/glsa/glsa-200711-21.xmlhttp://taviso.decsystem.org/virtsec.pdfhttp://www.debian.org/security/2007/dsa-1351http://www.securityfocus.com/bid/24246http://www.vupen.com/english/advisories/2007/1936https://exchange.xforce.ibmcloud.com/vulnerabilities/34508http://bugs.gentoo.org/show_bug.cgi?id=188148http://osvdb.org/36799http://secunia.com/advisories/25470http://secunia.com/advisories/26364http://secunia.com/advisories/27715http://security.gentoo.org/glsa/glsa-200711-21.xmlhttp://taviso.decsystem.org/virtsec.pdfhttp://www.debian.org/security/2007/dsa-1351http://www.securityfocus.com/bid/24246http://www.vupen.com/english/advisories/2007/1936https://exchange.xforce.ibmcloud.com/vulnerabilities/34508
2007-05-30
Published