CVE-2023-1544 - OpenCVE

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-1544
https://bugzilla.redhat.com/show_bug.cgi?id=2180364
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
https://nvd.nist.gov/vuln/detail/CVE-2023-1544
https://security.netapp.com/advisory/ntap-20230511-0005/
https://www.cve.org/CVERecord?id=CVE-2023-1544

History

No history.

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2023-03-23T00:00:00

Updated: 2024-08-02T05:49:11.767Z

Reserved: 2023-03-21T00:00:00

Link: CVE-2023-1544

Vulnrichment

Updated: 2024-08-02T05:49:11.767Z

NVD

Status : Modified

Published: 2023-03-23T20:15:14.497

Modified: 2024-04-19T14:15:08.210

Link: CVE-2023-1544

Redhat

Severity : Low

Publid Date: 2023-02-27T00:00:00Z

Links: CVE-2023-1544 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-1544", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "assignerShortName": "fedora", "dateUpdated": "2024-08-02T05:49:11.767Z", "dateReserved": "2023-03-21T00:00:00", "datePublished": "2023-03-23T00:00:00"}, "containers": {"cna": {"title": "Qemu: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."}], "affected": [{"versions": [{"status": "unaffected", "version": "8.2.0-rc0", "lessThan": "*", "versionType": "semver"}], "packageName": "qemu", "collectionURL": "https://gitlab.com/qemu-project/qemu", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/"}], "datePublic": "2023-02-27T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-125: Out-of-bounds Read", "timeline": [{"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank SorryMybad (Kunlun Lab) for reporting this issue."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:34:48.957Z"}}, "adp": [{"affected": [{"vendor": "qemu", "product": "rdma", "cpes": ["cpe:2.3:a:qemu:rdma:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "8.2.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-19T18:10:20.763384Z", "id": "CVE-2023-1544", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T13:49:11.714Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.767Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364", "tags": ["x_transferred"]}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364", "tags": ["x_transferred"]}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:49:11.767Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-19T18:10:20.763384Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qemu:rdma:*:*:*:*:*:*:*:*"], "vendor": "qemu", "product": "rdma", "versions": [{"status": "affected", "version": "0", "lessThan": "8.2.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-19T18:11:52.361Z"}}], "cna": {"title": "Qemu: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()", "credits": [{"lang": "en", "value": "Red Hat would like to thank SorryMybad (Kunlun Lab) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "unaffected", "version": "8.2.0-rc0", "lessThan": "*", "versionType": "semver"}], "packageName": "qemu", "collectionURL": "https://gitlab.com/qemu-project/qemu", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-02-27T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:34:48.957Z"}, "x_redhatCweChain": "CWE-125: Out-of-bounds Read"}}, "cveMetadata": {"cveId": "CVE-2023-1544", "state": "PUBLISHED", "dateUpdated": "2024-08-02T05:49:11.767Z", "dateReserved": "2023-03-21T00:00:00", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2023-03-23T00:00:00", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CCEA83E-03FB-45F9-9CE1-D3399FBD0782", "versionEndIncluding": "7.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."}], "id": "CVE-2023-1544", "lastModified": "2024-04-19T14:15:08.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "patrick@puiterwijk.org", "type": "Secondary"}]}, "published": "2023-03-23T20:15:14.497", "references": [{"source": "patrick@puiterwijk.org", "url": "https://access.redhat.com/security/cve/CVE-2023-1544"}, {"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking", "Mailing List", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, {"source": "patrick@puiterwijk.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html"}, {"source": "patrick@puiterwijk.org", "url": "https://security.netapp.com/advisory/ntap-20230511-0005/"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank SorryMybad (Kunlun Lab) for reporting this issue.", "bugzilla": {"description": "QEMU: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()", "id": "2180364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.", "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."], "name": "CVE-2023-1544", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:8.2/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:av/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2023-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-1544\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1544"], "statement": "The versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux and RHEL Advanced Virtualization are not affected by this flaw, as they are not built with PVRDMA support.", "threat_severity": "Low", "upstream_fix": "qemu-kvm 8.2.0"}