VM escape flaw in QEMU allows for arbitrary code execution, denial of service

guest · Aug 26, 2019

VM escape flaw in QEMU allows for arbitrary code execution, denial of service
Reassembly of fragmented packets can potentially be exploited against cloud-hosted virtual machine services
August 26, 2019
https://www.techrepublic.com/articl...r-arbitrary-code-execution-denial-of-service/

A vulnerability in QEMU—a popular open-source hardware virtualization package—allows malicious actors to perform a "virtual machine escape," in essence, allowing attackers to break out of guest operating systems and attack the host operating system that QEMU runs on.

The vulnerability, designated as CVE-2019-14378, relies on the networking implementation in QEMU: A flaw in the SLiRP networking backend exists in the ip_reass() routine—used to reassemble packets—when the first fragment is larger than the m->m_dat[] buffer. Fragmentation of packets is a routine occurrence, for situations when packets are larger than the maximum transmission unit (MTU) set for a specific connection. In these situations, the fragments are reassembled by the receiving system.

Successfully exploiting the vulnerability also requires bypassing ASLR and PIE. A full explanation of the exploit is provided by Vishnu Dev.
While no external mitigation exists, patches have been published for the vulnerability, which additionally fixes a regression in which network block device connections could hang.
Click to expand...

Log in or Sign up

VM escape flaw in QEMU allows for arbitrary code execution, denial of service

guest Guest

Log in or Sign up

VM escape flaw in QEMU allows for arbitrary code execution, denial of service

guest Guest

Useful Searches