cbcvebase.
CVE-2017-15118
published 2018-07-27

CVE-2017-15118: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.93%
95.6th percentile
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.

Affected

15 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianqemu< qemu 1:2.11+dfsg-1 (bookworm)qemu 1:2.11+dfsg-1 (bookworm)
qemuqemu< 2.112.11
qemuqemu
qemuqemu>= 0 < 1:2.11+dfsg-11:2.11+dfsg-1
qemuqemu>= 0 < 1:2.11+dfsg-11:2.11+dfsg-1
qemuqemu>= 0 < 1:2.11+dfsg-11:2.11+dfsg-1
qemuqemu>= 0 < 1:2.11+dfsg-11:2.11+dfsg-1
qemuqemu>= 0 < 2.0.0+dfsg-2ubuntu1.392.0.0+dfsg-2ubuntu1.39
qemuqemu>= 0 < 2.0.0+dfsg-2ubuntu1.402.0.0+dfsg-2ubuntu1.40
qemuqemu>= 0 < 1:2.5+dfsg-5ubuntu10.221:2.5+dfsg-5ubuntu10.22
qemuqemu>= 0 < 1:2.5+dfsg-5ubuntu10.241:2.5+dfsg-5ubuntu10.24
redhatenterprise_linux

Detection & IOCsextracted from sources · hover to see the quote

commandqemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
port10809
  • Detect NBD client requests with export name length exceeding 256 bytes (up to 4096 bytes) targeting the QEMU NBD server on TCP port 10809 — indicative of CVE-2017-15118 exploitation attempt.
  • The vulnerability was introduced in QEMU commit f37708f6b8 (version 2.10). Monitor for QEMU NBD server processes running versions 2.10.x up to pre-2.11 as vulnerable targets.
  • If the QEMU NBD server is configured with TLS, an attacker must first complete a successful TLS negotiation before triggering the overflow — correlate TLS handshake success followed immediately by an oversized NBD export name request.
  • Monitor for unexpected crashes or termination of qemu/qemu-nbd processes, which may indicate a stack smash exploitation attempt even without full code execution (e.g., -fstack-protector-strong triggering abort).
  • ·Exploitation is significantly harder (but not impossible) if the QEMU NBD server binary was compiled with -fstack-protector-strong; arbitrary code execution is theoretically still possible, potentially in combination with other CVEs.
  • ·The vulnerability only affects QEMU versions starting from 2.10 (introduced in commit f37708f6b8); versions prior to 2.10 and 2.11+ (fixed) are not affected.
  • ·On Red Hat Enterprise Linux 7, only the qemu-kvm-ma package is affected; qemu-kvm and qemu-kvm-rhev packages on RHEL 6/7/8 are listed as not affected.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.