Vulnerability CVE-2007-5730

Vulnerability Name:

CVE-2007-5730 (CCN-38239)

Assigned:

2007-10-23

Published:

2007-10-23

Updated:

2020-12-15

Summary:

Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow.
Note: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability.

CVSS v3 Severity:

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-787

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2007-5730

Source: CCN
Type: QEMU Web site
QEMU

Source: OSVDB
Type: Broken Link
42985

Source: CCN
Type: RHSA-2008-0194
Important: xen security and bug fix update

Source: CCN
Type: SA25073
QEMU Various Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory, Vendor Advisory
25073

Source: SECUNIA
Type: Third Party Advisory
25095

Source: SECUNIA
Type: Third Party Advisory
27486

Source: CCN
Type: SA29129
KVM Block Device Backend Security Bypass

Source: SECUNIA
Type: Third Party Advisory
29129

Source: SECUNIA
Type: Third Party Advisory
29963

Source: MISC
Type: Technical Description, Third Party Advisory
http://taviso.decsystem.org/virtsec.pdf

Source: VIM
Type: Third Party Advisory
20071030 Clarification on old QEMU/NE2000/Xen issues

Source: DEBIAN
Type: Third Party Advisory
DSA-1284

Source: MANDRIVA
Type: Third Party Advisory
MDKSA-2007:203

Source: MANDRIVA
Type: Third Party Advisory
MDVSA-2008:162

Source: CCN
Type: OSVDB ID: 42985
QEMU net socket listen Option Local Overflow

Source: REDHAT
Type: Third Party Advisory
RHSA-2008:0194

Source: BID
Type: Third Party Advisory, VDB Entry
23731

Source: CCN
Type: BID-23731
QEMU Multiple Local Vulnerabilities

Source: VUPEN
Type: Third Party Advisory
ADV-2007-1597

Source: XF
Type: Third Party Advisory, VDB Entry
qemu-net-socket-bo(38239)

Source: XF
Type: UNKNOWN
qemu-net-socket-bo(38239)

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:10000

Vulnerable Configuration:

Configuration 1:

cpe:/a:qemu:qemu:0.8.2:*:*:*:*:*:*:*

AND

cpe:/o:xen:xen:*:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:rhel_virtualization:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:rhel_virtualization:5::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:rhel_virtualization:5::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:fabrice_bellard:qemu:0.8.2:*:*:*:*:*:*:*

AND

cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/a:redhat:rhel_virtualization:5:*:server:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:22720	P	ELSA-2008:0194: xen security and bug fix update (Important)	2014-05-26
oval:org.mitre.oval:def:10000	V	Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability.	2013-04-29
oval:com.redhat.rhsa:def:20080194	P	RHSA-2008:0194: xen security and bug fix update (Important)	2008-05-13

BACK