Denial of service in QEMU
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Race condition
EUVDB-ID: #VU16061
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-19489
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to race condition while renaming files on a shared host directory. An adjacent attacker can use-after-free flaw in the VirtFS, host directory sharing via Plan 9 File System(9pfs) support and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: All versions
CPE2.3 External linkshttps://lists.gnu.org/archive/html/qemu-devel/2018-11/msg04489.html
https://bugzilla.redhat.com/show_bug.cgi?id=1653156
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU16198
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-19665
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to integer overflow in various Bluetooth functions in routines wherein 'len' parameter is a 'signed int' which subsequently converts to an unsigned integer. An adjacent attacker can trigger memory corruption and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: All versions
CPE2.3 External linkshttps://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free error
EUVDB-ID: #VU16557
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-19364
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The vulnerability exists due to use-after-free condition in the VirtFS component. A remote attacker can access the system and maliciously updatу the fid path in worker threads by using the v9fs_path_copy() function while accessing files on a shared host directory, trigger memory corruption and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: 0.1 - 2.12.50
CPE2.3- cpe:2.3:a:qemu:qemu:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:0.1.2:*:*:*:*:*:*:*
https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg02795.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
