CVE-2018-12617
published 2018-06-21CVE-2018-12617: qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a…
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
25.35%
97.7th percentile
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | qemu | < qemu 1:3.1+dfsg-1 (bookworm) | qemu 1:3.1+dfsg-1 (bookworm) |
| qemu | qemu | <= 2.12.50 | — |
| qemu | qemu | >= 0 < 1:3.1+dfsg-1 | 1:3.1+dfsg-1 |
| qemu | qemu | >= 0 < 1:3.1+dfsg-1 | 1:3.1+dfsg-1 |
| qemu | qemu | >= 0 < 1:3.1+dfsg-1 | 1:3.1+dfsg-1 |
| qemu | qemu | >= 0 < 1:3.1+dfsg-1 | 1:3.1+dfsg-1 |
| qemu | qemu | >= 0 < 2.0.0+dfsg-2ubuntu1.44 | 2.0.0+dfsg-2ubuntu1.44 |
| qemu | qemu | >= 0 < 1:2.5+dfsg-5ubuntu10.33 | 1:2.5+dfsg-5ubuntu10.33 |
| qemu | qemu | >= 0 < 1:2.11+dfsg-1ubuntu7.8 | 1:2.11+dfsg-1ubuntu7.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor QMP traffic on the qemu-ga listening socket for guest-file-read commands with a count value of 4294967295 (0xFFFFFFFF) or other abnormally large values indicative of integer overflow exploitation. ↗
- →Alert on qemu-ga process crashes (segmentation fault / SIGSEGV) immediately following receipt of a guest-file-read QMP command, as this is the observable effect of successful exploitation. ↗
- →Look for socat or similar tools connecting to the qemu-ga UNIX socket (/tmp/qga.sock or equivalent) from unexpected processes, as the exploit requires direct socket access. ↗
- ·The vulnerable code path (qmp_guest_file_read) is only reachable if qemu-ga (QEMU Guest Agent) is running and listening on a socket. QEMU KVM builds for OpenStack (qemu-kvm-rhev) do not build the guest agent and are therefore not affected. ↗
- ·The fix restricts guest-file-read count to a maximum of 48 MB; deployments should verify they are running a patched version incorporating upstream commit 1329651fb4. ↗
- ·The exploit requires the attacker to know or guess the correct file handle value returned by guest-file-open, as different files will have different handle values. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
QEMU vulnerabilities
vendor_ubuntu·2018-11-26·CVSS 6.5
CVE-2018-10839 [MEDIUM] QEMU vulnerabilities
Title: QEMU vulnerabilities
Summary: Several security issues were fixed in QEMU.
Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
NE2000 device emulation. An attacker inside the guest could use this issue
to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839)
It was discovered that QEMU incorrectly handled the Slirp networking
back-end. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execute
arbitrary code on the host. In the default installation, when QEMU is used
with libvirt, attackers would be isolated by the libvirt AppArmor profile.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2018-11806)
Fakhri Zulkifli discovered
Red Hat
Qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read()
vendor_redhat·2018-06-22·CVSS 7.5
CVE-2018-12617 [HIGH] CWE-190 Qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read()
Qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read()
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
Package: qemu-kvm (Red Hat Enterprise Linux 6) - Fix deferred
Package: virtio-win (Red Hat Enterprise Linux 6) - Fix deferred
Package: qemu-guest-agent (Red Hat Enterprise Linux 7) - Fix deferred
Package: qemu-kvm (Red Hat Enterprise Linux 7) - Not affected
Package: qemu-kvm-ma (Red Hat Enterp
Debian
CVE-2018-12617: qemu - qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga ...
vendor_debian·2018·CVSS 7.5
CVE-2018-12617 [HIGH] CVE-2018-12617: qemu - qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga ...
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
Scope: local
bookworm: resolved (fixed in 1:3.1+dfsg-1)
bullseye: resolved (fixed in 1:3.1+dfsg-1)
forky: resolved (fixed in 1:3.1+dfsg-1)
sid: resolved (fixed in 1:3.1+dfsg-1)
trixie: resolved (fixed in 1:3.1+dfsg-1)
GHSA
GHSA-prpr-q2gp-hgw2: qmp_guest_file_read in qga/commands-posix
ghsa_unreviewed·2022-05-13
CVE-2018-12617 [HIGH] CWE-190 GHSA-prpr-q2gp-hgw2: qmp_guest_file_read in qga/commands-posix
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
OSV
qemu vulnerabilities
osv·2018-11-26·CVSS 6.5
CVE-2018-10839 [MEDIUM] qemu vulnerabilities
qemu vulnerabilities
Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
NE2000 device emulation. An attacker inside the guest could use this issue
to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839)
It was discovered that QEMU incorrectly handled the Slirp networking
back-end. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execute
arbitrary code on the host. In the default installation, when QEMU is used
with libvirt, attackers would be isolated by the libvirt AppArmor profile.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2018-11806)
Fakhri Zulkifli discovered that the QEMU guest agent incorrectly handled
certain QMP co
OSV
CVE-2018-12617: qmp_guest_file_read in qga/commands-posix
osv·2018-06-21·CVSS 7.5
CVE-2018-12617 [HIGH] CVE-2018-12617: qmp_guest_file_read in qga/commands-posix
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
No detection rules found.
Bugzilla
CVE-2018-12617 Qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read()
bugzilla·2018-06-22·CVSS 7.5
CVE-2018-12617 [HIGH] CVE-2018-12617 Qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read()
CVE-2018-12617 Qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read()
The QEMU Guest Agent in QEMU is vulnerable to an integer overflow in the
qmp_guest_file_read(). An attacker could exploit this by sending a crafted QMP
command (including guest-file-read with a large count value) to the agent via
the listening socket to trigger a g_malloc() call with a large memory chunk
resulting in a segmentation fault.
A user could use this flaw to crash the QEMU guest agent process resulting in DoS.
Upstream Patch:
-> https://git.qemu.org/?p=qemu.git;a=commit;h=141b197408ab398c4f474ac1a728ab316e921f2b
References:
-> https://www.openwall.com/lists/oss-security/2018/10/17/4
-> https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6
Discussion:
Bugzilla
CVE-2018-12617 qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read() [fedora-all]
bugzilla·2018-06-22·CVSS 7.5
CVE-2018-12617 [HIGH] CVE-2018-12617 qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read() [fedora-all]
CVE-2018-12617 qemu: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
http://www.securityfocus.com/bid/104531https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6https://lists.debian.org/debian-lts-announce/2019/02/msg00041.htmlhttps://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.htmlhttps://seclists.org/bugtraq/2019/May/76https://usn.ubuntu.com/3826-1/https://www.debian.org/security/2019/dsa-4454https://www.exploit-db.com/exploits/44925/http://www.securityfocus.com/bid/104531https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6https://lists.debian.org/debian-lts-announce/2019/02/msg00041.htmlhttps://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.htmlhttps://seclists.org/bugtraq/2019/May/76https://usn.ubuntu.com/3826-1/https://www.debian.org/security/2019/dsa-4454https://www.exploit-db.com/exploits/44925/
2018-06-21
Published