Denial of service in QEMU
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-19489 CVE-2018-19665 CVE-2018-19364 |
| CWE-ID | CWE-362 CWE-190 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
QEMU Client/Desktop applications / Virtualization software |
| Vendor | QEMU |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Race condition
EUVDB-ID: #VU16061
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19489
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to race condition while renaming files on a shared host directory. An adjacent attacker can use-after-free flaw in the VirtFS, host directory sharing via Plan 9 File System(9pfs) support and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: All versions
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-11/msg04489.html
http://bugzilla.redhat.com/show_bug.cgi?id=1653156
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU16198
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19665
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to integer overflow in various Bluetooth functions in routines wherein 'len' parameter is a 'signed int' which subsequently converts to an unsigned integer. An adjacent attacker can trigger memory corruption and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: All versions
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free error
EUVDB-ID: #VU16557
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19364
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The vulnerability exists due to use-after-free condition in the VirtFS component. A remote attacker can access the system and maliciously updatу the fid path in worker threads by using the v9fs_path_copy() function while accessing files on a shared host directory, trigger memory corruption and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: 0.1 - 2.12.50
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-11/msg02795.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
