What is the issue?
A vulnerability in QEMU, a popular open-source hardware virtualization package, allows attackers to perform a “virtual machine escape” by attacking the host operating system that runs QEMU.
What is the impact?
The vulnerability tracked as CVE-2019-14378 allows an attacker to perform arbitrary code execution at the same privilege level as QEMU itself, and completely crash the QEMU process.
The vulnerability impacts providers of cloud-hosted virtual machines that use QEMU for virtualization.
More details on the vulnerability
The vulnerability was found by a security researcher during a code audit, and there’s no evidence that the vulnerability has been exploited in the wild.
However, successful exploitation of the vulnerability also requires bypassing ASLR and PIE.
“IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host,” described the researcher in a blog.
Patches have been released for the vulnerability, which additionally fixes a regression in which network block device connections could hang. However, patches applied to QEMU requires a restart of the virtual machines operated by that process, which will create downtime as systems are patched.