QEMU 'FW _ cmd_write () 'function Remote Code Execution Vulnerability (CVE-2016-1714)
QEMU 'FW _ cmd_write () 'function Remote Code Execution Vulnerability (CVE-2016-1714)
Release date:
Updated on:
Affected Systems:
QEMU <1, 2.4
Description:
Bugtraq id: 80250
CVE (CAN) ID: CVE-2016-1714
QEMU is an open source simulator software.
In versions earlier than Qemu 2.4 that support firmware configuration device simulation, fw_0000_write and fw_0000_read functions in hw/nvram/fw_cfg.c have security vulnerabilities, this vulnerability may cause DoS attacks or arbitrary code execution by client OS users with CAP_SYS_RAWIO permissions.
<* Source: Mr. Donghai Zhu
*>
Suggestion:
Vendor patch:
QEMU
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://fabrice.bellard.free.fr/qemu/
Use KVM + Qemu to build a virtual machine in Ubuntu
Linux getting started Tutorial: QEMU for Virtual Machine experience
Ubuntu 12.04 cannot find the Qemu command
Install QEMU + efi bios on Arch Linux
QEMU translation framework and debugging tools
QEMU code analysis: BIOS loading process
QEMU details: click here
QEMU: click here
This article permanently updates the link address: