loader gif

Vulnerability in QEMU allows attackers to perform virtual machine escape

Vulnerability in QEMU allows attackers to perform virtual machine escape
  • The vulnerability impacts providers of cloud-hosted virtual machines that use QEMU for virtualization.
  • The vulnerability is triggered when fragment packets are reassembled for processing.

What is the issue?

A vulnerability in QEMU, a popular open-source hardware virtualization package, allows attackers to perform a “virtual machine escape” by attacking the host operating system that runs QEMU.

What is the impact?

The vulnerability tracked as CVE-2019-14378 allows an attacker to perform arbitrary code execution at the same privilege level as QEMU itself, and completely crash the QEMU process.

The vulnerability impacts providers of cloud-hosted virtual machines that use QEMU for virtualization.

More details on the vulnerability

The vulnerability was found by a security researcher during a code audit, and there’s no evidence that the vulnerability has been exploited in the wild.

  • The flaw relies on the networking implementation in QEMU and is found in the packet reassembly in SLiRP.
  • The vulnerability is triggered when fragment packets are reassembled for processing.
  • A packet is reassembled when the first fragment is larger than the maximum transmission unit (MTU) set for a specific connection (m->m_dat[] buffer).

However, successful exploitation of the vulnerability also requires bypassing ASLR and PIE.

“IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host,” described the researcher in a blog.

Patch available

Patches have been released for the vulnerability, which additionally fixes a regression in which network block device connections could hang. However, patches applied to QEMU requires a restart of the virtual machines operated by that process, which will create downtime as systems are patched.

loader gif