Vigil@nce - Qemu: denial of service via IDE WIN_READ_NATIVE_MAX
September 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who is privileged in the guest system can use the IDE
WIN_READ_NATIVE_MAX command on Qemu, in order to trigger a denial
of service on the host system.
Impacted products: Debian, QEMU, Ubuntu.
Severity: 1/4.
Creation date: 10/09/2015.
DESCRIPTION OF THE VULNERABILITY
The Qemu product can emulate an IDE disk or a CD/DVD drive.
The IDE WIN_READ_NATIVE_MAX command is used to obtain the size of
a drive. However, when this command is sent to an empty ATAPI
drive (of size zero), a division by zero occurs.
An attacker who is privileged in the guest system can therefore
use the IDE WIN_READ_NATIVE_MAX command on Qemu, in order to
trigger a denial of service on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Qemu-denial-of-service-via-IDE-WIN-READ-NATIVE-MAX-17862