OpenCVE

An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2020/04/24/2
https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7
https://nvd.nist.gov/vuln/detail/CVE-2020-11869
https://usn.ubuntu.com/4372-1/
https://www.cve.org/CVERecord?id=CVE-2020-11869

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-04-27T19:00:34

Updated: 2024-08-04T11:42:00.811Z

Reserved: 2020-04-17T00:00:00

Link: CVE-2020-11869

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-04-27T19:15:12.603

Modified: 2024-11-21T04:58:47.573

Link: CVE-2020-11869

Redhat

Severity : Low

Publid Date: 2020-04-07T00:00:00Z

Links: CVE-2020-11869 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-04-24T00:00:00", "descriptions": [{"lang": "en", "value": "An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-28T22:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.openwall.com/lists/oss-security/2020/04/24/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7"}, {"name": "USN-4372-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4372-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-11869", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.openwall.com/lists/oss-security/2020/04/24/2", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2020/04/24/2"}, {"name": "https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7", "refsource": "CONFIRM", "url": "https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7"}, {"name": "USN-4372-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4372-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:42:00.811Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/04/24/2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7"}, {"name": "USN-4372-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4372-1/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-11869", "datePublished": "2020-04-27T19:00:34", "dateReserved": "2020-04-17T00:00:00", "dateUpdated": "2024-08-04T11:42:00.811Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5DF3435-3BC5-4FB1-A5DC-0E13C155C69B", "versionEndIncluding": "4.2.0", "versionStartIncluding": "4.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 un desbordamiento de enteros en QEMU versiones 4.0.1 hasta 4.2.0, en la manera en que implement\u00f3 la emulaci\u00f3n ATI VGA. Este error se produce en la rutina ati_2d_blt() en el archivo hw/display/ati-2d.c mientras se manejan operaciones de escritura MMIO por medio de la devoluci\u00f3n de llamada de ati_mm_write(). Un invitado malicioso podr\u00eda abusar de este fallo para bloquear el proceso QEMU, resultando en una denegaci\u00f3n de servicio."}], "id": "CVE-2020-11869", "lastModified": "2024-11-21T04:58:47.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-27T19:15:12.603", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/04/24/2"}, {"source": "cve@mitre.org", "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4372-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/04/24/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/4372-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Ziming Zhang for reporting this issue.", "bugzilla": {"description": "qemu: integer overflow in ati_2d_blt() in hw/display/ati-2d.c could lead to DoS", "id": "1809955", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1809955"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-190->(CWE-125|CWE-787)", "details": ["An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.", "An integer overflow flaw was found in QEMU in the way it implemented the ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations through ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service."], "name": "CVE-2020-11869", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "kvm", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "xen", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:8.1/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2020-04-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-11869\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11869"], "statement": "This flaw did not affect the following versions of QEMU as they did not include support for ATI VGA emulation:\n* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux 7.\n* `qemu-kvm-rhev` as shipped with Red Hat Virtualization and Red Hat OpenStack.\n* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8.\nATI VGA emulation feature was introduced in QEMU upstream version v4.0.0.", "threat_severity": "Low", "upstream_fix": "qemu 5.0.0"}