Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 6 |
CVE-ID | CVE-2018-16867 CVE-2018-16872 CVE-2018-20123 CVE-2018-20216 CVE-2018-20126 CVE-2018-20125 |
CWE-ID | CWE-22 CWE-401 CWE-835 CWE-476 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
QEMU Client/Desktop applications / Virtualization software |
Vendor | QEMU |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
EUVDB-ID: #VU16522
Risk: Medium
CVSSv3.1: 8.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16867
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to execute arbitrary code on the target system.
The vulnerability exists in qemu Media Transfer Protocol (MTP) due to an improper filename sanitization. When the guest device is mounted in read-write mode, an adjacent attacker can conduct directory traversal attack in the in usb_mtp_write_data function in hw/usb/dev-mtp.c to read/write arbitrary files which may lead do DoS scenario or arbitrary code execution on the host.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 3.1.0.
Vulnerable software versionsQEMU: 2.0 - 3.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-12/msg00390.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU16541
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16872
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The vulnerability exists in qemu Media Transfer Protocol (MTP) due to the code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An adjacent attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to.
MitigationUpdate to version 3.1.0.
Vulnerable software versionsQEMU: 2.0 - 3.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU16560
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20123
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to memory leakage issue in the way QEMU initialised its VMWare's paravirtual RDMA device. An adjacent attacker can cause pvrdma_realize() routine not to release memory resources allocated to various objects and leak host memory, resulting in DoS for host.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: 0.1 - 3.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02817.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU16677
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20216
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c when return values are not checked (and -1 is mishandled).. A remote attacker can cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: 0.1 - 3.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03052.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU16684
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20126
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to memory leakage issue in hw/rdma/vmw/pvrdma_cmd.c when errors are mishandled. A local attacker can create_cq and create_qp memory leaks, resulting in DoS.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: 0.1 - 3.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02824.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU16683
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20125
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in hw/rdma/vmw/pvrdma_cmd.c. A local attacker can trigger excessive memory allocation in create_cq_ring or create_qp_rings and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsQEMU: 0.1 - 3.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02823.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.