OpenCVE

Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qemu	Qemu
Redhat	Enterprise Linux Server Enterprise Linux Workstation

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*

No data.

References

Link	Providers
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331
http://marc.info/?l=qemu-devel&m=124324043812915
http://rhn.redhat.com/errata/RHEA-2009-1272.html
http://www.openwall.com/lists/oss-security/2009/10/16/5
http://www.openwall.com/lists/oss-security/2009/10/16/8
http://www.securityfocus.com/bid/36716
https://bugzilla.redhat.com/show_bug.cgi?id=501131
https://bugzilla.redhat.com/show_bug.cgi?id=505641
https://bugzilla.redhat.com/show_bug.cgi?id=508567

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-10-23T18:00:00

Updated: 2024-08-07T06:31:10.921Z

Reserved: 2009-10-09T00:00:00

Link: CVE-2009-3616

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2009-10-23T18:30:00.390

Modified: 2024-02-15T21:06:20.270

Link: CVE-2009-3616

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-10-16T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-12-01T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"}, {"name": "[oss-security] 20091016 Re: QEMU VNC use-after-free", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"}, {"name": "[qemu-devel] 20090525 Re: [STABLE] [BUG] VNC mode can crash QEMU", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=qemu-devel&m=124324043812915"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"}, {"name": "36716", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36716"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"}, {"name": "[oss-security] 20091016 QEMU VNC use-after-free", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2009-3616", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=501131", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"}, {"name": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331", "refsource": "CONFIRM", "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"}, {"name": "[oss-security] 20091016 Re: QEMU VNC use-after-free", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"}, {"name": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5", "refsource": "CONFIRM", "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"}, {"name": "[qemu-devel] 20090525 Re: [STABLE] [BUG] VNC mode can crash QEMU", "refsource": "MLIST", "url": "http://marc.info/?l=qemu-devel&m=124324043812915"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=508567", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"}, {"name": "36716", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36716"}, {"name": "http://rhn.redhat.com/errata/RHEA-2009-1272.html", "refsource": "CONFIRM", "url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"}, {"name": "[oss-security] 20091016 QEMU VNC use-after-free", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=505641", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:31:10.921Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"}, {"name": "[oss-security] 20091016 Re: QEMU VNC use-after-free", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"}, {"name": "[qemu-devel] 20090525 Re: [STABLE] [BUG] VNC mode can crash QEMU", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://marc.info/?l=qemu-devel&m=124324043812915"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"}, {"name": "36716", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/36716"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"}, {"name": "[oss-security] 20091016 QEMU VNC use-after-free", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2009-3616", "datePublished": "2009-10-23T18:00:00", "dateReserved": "2009-10-09T00:00:00", "dateUpdated": "2024-08-07T06:31:10.921Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "27270035-8337-4B8E-8305-951D7063F2D1", "versionEndIncluding": "0.10.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "54D669D4-6D7E-449D-80C1-28FA44F06FFE", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "D0AC5CD5-6E58-433C-9EB3-6DFE5656463E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de uso anterior a la liberaci\u00f3n en vnc.c del servidor VNC en QEMU v0.10.6 y anteriores, permite a usuarios del sistema anfitri\u00f3n ejecutar c\u00f3digo de su elecci\u00f3n en el sistema hospedado, estableciendo una conexi\u00f3n desde el cliente VNC y a continuaci\u00f3n (1) desconectando durante la transferencia de datos, (2) enviando un mensaje utilizando tipos de datos enteros incorrectos, o (3) utilizando el protocolo Fuzzy Screen Mode, relativo a una doble liberaci\u00f3n de vulnerabilidades."}], "id": "CVE-2009-3616", "lastModified": "2024-02-15T21:06:20.270", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2009-10-23T18:30:00.390", "references": [{"source": "secalert@redhat.com", "tags": ["Broken Link", "Exploit"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Exploit"], "url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"}, {"source": "secalert@redhat.com", "tags": ["Mailing List"], "url": "http://marc.info/?l=qemu-devel&m=124324043812915"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/36716"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}