cbcvebase.
CVE-2019-12929
published 2019-06-24

CVE-2019-12929: The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service…

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.90%
91.0th percentile
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

Affected

2 ranges
VendorProductVersion rangeFixed in
debianqemu
qemuqemu<= 4.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for crafted QMP `guest_exec` commands sent to the QEMU QMP listening server, which can be used for OS command injection leading to code execution, denial of service, or information disclosure.
  • Alert on any external or unprivileged access to the QEMU Machine Protocol (QMP) interface; QMP must not be exposed to unprivileged users.
  • ·Libvirt (a common QEMU manager) uses only local UNIX sockets for QMP communication, which are owned by the QEMU process user-id and protected by per-VM sVirt labels, making them not reachable by other users or VMs.
  • ·All Red Hat Enterprise Linux packages (kvm, qemu-kvm, qemu-kvm-ma, qemu-kvm-rhev across RHEL 5–8 and OpenStack Platform variants) are marked Not Affected for this CVE.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.