CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
59.8%
Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank register. This is CVE-2016-3710.
Qemu VGA module allows guest to edit certain registers in ‘vbe’ and ‘vga’ modes. ie. guest could set certain ‘VGA’ registers while in ‘VBE’ mode. This is CVE-2016-3712.
A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.
A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.
Versions of qemu shipped with all Xen versions are vulnerable.
Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable.
Only guests provided with the “stdvga” emulated video card can exploit the vulnerability. The default “cirrus” emulated video card is not vulnerable. (With xl the emulated video card is controlled by the “stdvga=” and “vga=” domain configuration options.)
ARM systems are not vulnerable. Systems using only PV guests are not vulnerable.
For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself.
Both upstream-based versions of qemu (device_model_version=“qemu-xen”) and `traditional’ qemu (device_model_version=“qemu-xen-traditional”) are vulnerable.
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
59.8%