1227634 – (CVE-2015-3215) CVE-2015-3215 virtio-win: netkvm: malformed packet can cause BSOD

Bug 1227634 (CVE-2015-3215) - CVE-2015-3215 virtio-win: netkvm: malformed packet can cause BSOD

Summary: CVE-2015-3215 virtio-win: netkvm: malformed packet can cause BSOD

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-3215
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1169718 1172091 1207168 1210208 1210211
Blocks:	1169740
TreeView+	depends on / blocked

Reported:	2015-06-03 08:14 UTC by Petr Matousek
Modified:	2023-05-12 09:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-21 00:45:49 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1043	0	normal	SHIPPED_LIVE	Important: virtio-win security and bug fix update	2015-06-03 13:50:15 UTC
Red Hat Product Errata	RHSA-2015:1044	0	normal	SHIPPED_LIVE	Important: virtio-win security and bug fix update	2015-06-03 14:09:31 UTC

Description Petr Matousek 2015-06-03 08:14:25 UTC

It was found that the Windows Virtio NIC driver did not sufficiently sanitize the length of the incoming IP packets, as demonstrated by a packet with IP options present but the overall packet length not being adjusted to reflect the length of those options.

A remote attacker able to send a specially crafted IP packet to the guest could use this flaw to crash that guest.

Upstream commits:

https://github.com/YanVugenfirer/kvm-guest-drivers-windows/commit/723416fa4210b7464b28eab89cc76252e6193ac1
https://github.com/YanVugenfirer/kvm-guest-drivers-windows/commit/fbfa4d1083ea84c5429992ca3e996d7d4fbc8238

Acknowledgements:

Red Hat would like to thank Google Project Zero for reporting this issue.

Comment 1 Petr Matousek 2015-06-03 08:31:32 UTC

Statement:

This issue does affect the virtio-win packages as shipped with Red Hat Enteprise Linux 6 and 7. Future updates for the respective releases will address this issue.

Comment 3 errata-xmlrpc 2015-06-03 09:50:57 UTC

This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1043 https://rhn.redhat.com/errata/RHSA-2015-1043.html

Comment 4 errata-xmlrpc 2015-06-03 10:10:05 UTC

This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2015:1044 https://rhn.redhat.com/errata/RHSA-2015-1044.html

Note You need to log in before you can comment on or make changes to this bug.