CVE-2017-10664 — HIGH (7.5)

Q: What is CVE-2017-10664?

CVE-2017-10664 is a vulnerability with a CVSS score of 7.5 (HIGH). qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.

Q: How severe is CVE-2017-10664?

CVE-2017-10664 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-10664?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu, Debian Debian Linux, Redhat Virtualization, Redhat Enterprise Linux, Redhat Openstack.

Vulnerability Description

qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Qemu	Qemu	<= 2.9.1
Debian	Debian Linux	8.0
Redhat	Virtualization	3.0
Redhat	Enterprise Linux	7.0
Redhat	Openstack	6.0
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Eus	7.4
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.4
Redhat	Enterprise Linux Server Tus	7.4
Redhat	Enterprise Linux Workstation	7.0

References

http://www.debian.org/security/2017/dsa-3920Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/06/29/1Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/99513Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:2390Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2445Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3466Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3470Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3471Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3472Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3473Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3474Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1466190Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00038.htmlMailing ListThird Party Advisory
https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.htmlMailing ListPatchThird Party Advisory
http://www.debian.org/security/2017/dsa-3920Third Party Advisory

FAQ

What is CVE-2017-10664?

CVE-2017-10664 is a vulnerability with a CVSS score of 7.5 (HIGH). qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.

How severe is CVE-2017-10664?

CVE-2017-10664 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-10664?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu, Debian Debian Linux, Redhat Virtualization, Redhat Enterprise Linux, Redhat Openstack.