Multiple vulnerabilities in QEMU

1) Path traversal

EUVDB-ID: #VU16522

Risk: Medium

CVSSv3.1: 8.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16867

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to execute arbitrary code on the target system.

The vulnerability exists in qemu Media Transfer Protocol (MTP) due to an improper filename sanitization. When the guest device is mounted in read-write mode, an adjacent attacker can conduct directory traversal attack in the in usb_mtp_write_data function in hw/usb/dev-mtp.c to read/write arbitrary files which may lead do DoS scenario or arbitrary code execution on the host.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update to version 3.1.0.

Vulnerable software versions

QEMU: 2.0 - 3.0.0

External links

http://lists.gnu.org/archive/html/qemu-devel/2018-12/msg00390.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Path traversal

EUVDB-ID: #VU16541

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16872

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in qemu Media Transfer Protocol (MTP) due to the code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An adjacent attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to.

Mitigation

Update to version 3.1.0.

Vulnerable software versions

QEMU: 2.0 - 3.0.0

External links

http://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory leak

EUVDB-ID: #VU16560

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20123

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leakage issue in the way QEMU initialised its VMWare's paravirtual RDMA device. An adjacent attacker can cause pvrdma_realize() routine not to release memory resources allocated to various objects and leak host memory, resulting in DoS for host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: 0.1 - 3.0.0

External links

http://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02817.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Infinite loop

EUVDB-ID: #VU16677

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20216

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c when return values are not checked (and -1 is mishandled).. A remote attacker can cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: 0.1 - 3.0.0

External links

http://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03052.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory leak

EUVDB-ID: #VU16684

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20126

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leakage issue in hw/rdma/vmw/pvrdma_cmd.c when errors are mishandled. A local attacker can create_cq and create_qp memory leaks, resulting in DoS.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: 0.1 - 3.0.0

External links

http://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02824.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) NULL pointer dereference

EUVDB-ID: #VU16683

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20125

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in hw/rdma/vmw/pvrdma_cmd.c. A local attacker can trigger excessive memory allocation in create_cq_ring or create_qp_rings and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

QEMU: 0.1 - 3.0.0

External links

http://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02823.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.