CVE-2017-15118
published 2018-07-27CVE-2017-15118: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.93%
95.6th percentile
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | qemu | < qemu 1:2.11+dfsg-1 (bookworm) | qemu 1:2.11+dfsg-1 (bookworm) |
| qemu | qemu | < 2.11 | 2.11 |
| qemu | qemu | — | — |
| qemu | qemu | >= 0 < 1:2.11+dfsg-1 | 1:2.11+dfsg-1 |
| qemu | qemu | >= 0 < 1:2.11+dfsg-1 | 1:2.11+dfsg-1 |
| qemu | qemu | >= 0 < 1:2.11+dfsg-1 | 1:2.11+dfsg-1 |
| qemu | qemu | >= 0 < 1:2.11+dfsg-1 | 1:2.11+dfsg-1 |
| qemu | qemu | >= 0 < 2.0.0+dfsg-2ubuntu1.39 | 2.0.0+dfsg-2ubuntu1.39 |
| qemu | qemu | >= 0 < 2.0.0+dfsg-2ubuntu1.40 | 2.0.0+dfsg-2ubuntu1.40 |
| qemu | qemu | >= 0 < 1:2.5+dfsg-5ubuntu10.22 | 1:2.5+dfsg-5ubuntu10.22 |
| qemu | qemu | >= 0 < 1:2.5+dfsg-5ubuntu10.24 | 1:2.5+dfsg-5ubuntu10.24 |
| redhat | enterprise_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect NBD client requests with export name length exceeding 256 bytes (up to 4096 bytes) targeting the QEMU NBD server on TCP port 10809 — indicative of CVE-2017-15118 exploitation attempt. ↗
- →The vulnerability was introduced in QEMU commit f37708f6b8 (version 2.10). Monitor for QEMU NBD server processes running versions 2.10.x up to pre-2.11 as vulnerable targets. ↗
- →If the QEMU NBD server is configured with TLS, an attacker must first complete a successful TLS negotiation before triggering the overflow — correlate TLS handshake success followed immediately by an oversized NBD export name request. ↗
- →Monitor for unexpected crashes or termination of qemu/qemu-nbd processes, which may indicate a stack smash exploitation attempt even without full code execution (e.g., -fstack-protector-strong triggering abort). ↗
- ·Exploitation is significantly harder (but not impossible) if the QEMU NBD server binary was compiled with -fstack-protector-strong; arbitrary code execution is theoretically still possible, potentially in combination with other CVEs. ↗
- ·The vulnerability only affects QEMU versions starting from 2.10 (introduced in commit f37708f6b8); versions prior to 2.10 and 2.11+ (fixed) are not affected. ↗
- ·On Red Hat Enterprise Linux 7, only the qemu-kvm-ma package is affected; qemu-kvm and qemu-kvm-rhev packages on RHEL 6/7/8 are listed as not affected. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p8q8-xqgv-rwvr: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2
ghsa_unreviewed·2022-05-13
CVE-2017-15118 [CRITICAL] CWE-787 GHSA-p8q8-xqgv-rwvr: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
OSV
CVE-2017-15118: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2
osv·2018-07-27·CVSS 9.8
CVE-2017-15118 [CRITICAL] CVE-2017-15118: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
OSV
qemu regression
osv·2018-03-05·CVSS 4.4
CVE-2017-11334 [MEDIUM] qemu regression
qemu regression
USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused
a regression in Xen environments. This update removes the problematic fix
pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that QEMU incorrectly handled guest ram. A privileged
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-11334)
David Buchanan discovered that QEMU incorrectly handled the VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 17.10. (CVE-2017-13672)
Thomas Garnier discove
OSV
qemu vulnerabilities
osv·2018-02-20·CVSS 4.4
CVE-2017-11334 [MEDIUM] qemu vulnerabilities
qemu vulnerabilities
It was discovered that QEMU incorrectly handled guest ram. A privileged
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-11334)
David Buchanan discovered that QEMU incorrectly handled the VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 17.10. (CVE-2017-13672)
Thomas Garnier discovered that QEMU incorrectly handled multiboot. An
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service, or possibly execute arbitrary code on the host. In the default
installation, when QEMU is used with libvir
Ubuntu
QEMU regression
vendor_ubuntu·2018-03-05·CVSS 4.4
CVE-2017-11334 [MEDIUM] QEMU regression
Title: QEMU regression
Summary: USN-3575-1 introduced a regression in QEMU.
USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused
a regression in Xen environments. This update removes the problematic fix
pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that QEMU incorrectly handled guest ram. A privileged
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-11334)
David Buchanan discovered that QEMU incorrectly handled the VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue was only addres
Ubuntu
QEMU vulnerabilities
vendor_ubuntu·2018-02-20·CVSS 4.4
CVE-2017-11334 [MEDIUM] QEMU vulnerabilities
Title: QEMU vulnerabilities
Summary: Several security issues were fixed in QEMU.
It was discovered that QEMU incorrectly handled guest ram. A privileged
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-11334)
David Buchanan discovered that QEMU incorrectly handled the VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 17.10. (CVE-2017-13672)
Thomas Garnier discovered that QEMU incorrectly handled multiboot. An
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service, or possibly execute arbitrary code on the hos
Red Hat
Qemu: stack buffer overflow in NBD server triggered via long export name
vendor_redhat·2017-11-28·CVSS 8.3
CVE-2017-15118 [HIGH] CWE-121 Qemu: stack buffer overflow in NBD server triggered via long export name
Qemu: stack buffer overflow in NBD server triggered via long export name
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, allowing causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigge
Debian
CVE-2017-15118: qemu - A stack-based buffer overflow vulnerability was found in NBD server implementati...
vendor_debian·2017·CVSS 8.3
CVE-2017-15118 [HIGH] CVE-2017-15118: qemu - A stack-based buffer overflow vulnerability was found in NBD server implementati...
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
Scope: local
bookworm: resolved (fixed in 1:2.11+dfsg-1)
bullseye: resolved (fixed in 1:2.11+dfsg-1)
forky: resolved (fixed in 1:2.11+dfsg-1)
sid: resolved (fixed in 1:2.11+dfsg-1)
trixie: resolved (fixed in 1:2.11+dfsg-1)
No detection rules found.
Bugzilla
CVE-2017-15118 qemu: Stack-based buffer overflow in NBD server triggered via long export name [fedora-all]
bugzilla·2017-11-28·CVSS 8.3
CVE-2017-15118 [HIGH] CVE-2017-15118 qemu: Stack-based buffer overflow in NBD server triggered via long export name [fedora-all]
CVE-2017-15118 qemu: Stack-based buffer overflow in NBD server triggered via long export name [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2017-15118 qemu: stack buffer overflow in NBD server triggered via long export name [epel-7]
bugzilla·2017-11-28·CVSS 8.3
CVE-2017-15118 [HIGH] CVE-2017-15118 qemu: stack buffer overflow in NBD server triggered via long export name [epel-7]
CVE-2017-15118 qemu: stack buffer overflow in NBD server triggered via long export name [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following templa
Bugzilla
CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
bugzilla·2017-11-23·CVSS 8.3
CVE-2017-15118 [HIGH] CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu allowing client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, allowing to cause out-of-bounds stack write in qemu process.
If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
Upstream patch:
-> https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html
Reference:
-> http://www.openwall.com/lists/oss-security/2017/11/28/8
Discussion:
Acknowledgments:
Name: Eric Blake (Red Hat)
---
Created attachment 1358264
Proposed patch
---
Issue was introduced by commit:
https://git.qemu.or
http://www.openwall.com/lists/oss-security/2017/11/28/8http://www.securityfocus.com/bid/101975https://access.redhat.com/errata/RHSA-2018:1104https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15118https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.htmlhttps://usn.ubuntu.com/3575-1/https://www.exploit-db.com/exploits/43194/http://www.openwall.com/lists/oss-security/2017/11/28/8http://www.securityfocus.com/bid/101975https://access.redhat.com/errata/RHSA-2018:1104https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15118https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.htmlhttps://usn.ubuntu.com/3575-1/https://www.exploit-db.com/exploits/43194/
2018-07-27
Published