CVE-2019-12929
published 2019-06-24CVE-2019-12929: The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service…
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.90%
91.0th percentile
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qemu | — | — |
| qemu | qemu | <= 4.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crafted QMP `guest_exec` commands sent to the QEMU QMP listening server, which can be used for OS command injection leading to code execution, denial of service, or information disclosure. ↗
- →Alert on any external or unprivileged access to the QEMU Machine Protocol (QMP) interface; QMP must not be exposed to unprivileged users. ↗
- ·Libvirt (a common QEMU manager) uses only local UNIX sockets for QMP communication, which are owned by the QEMU process user-id and protected by per-VM sVirt labels, making them not reachable by other users or VMs. ↗
- ·All Red Hat Enterprise Linux packages (kvm, qemu-kvm, qemu-kvm-ma, qemu-kvm-rhev across RHEL 5–8 and OpenStack Platform variants) are marked Not Affected for this CVE. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
QEMU: guest agent guest_exec command execution
vendor_redhat·2019-06-06·CVSS 9.8
CVE-2019-12929 [CRITICAL] CWE-78 QEMU: guest agent guest_exec command execution
QEMU: guest agent guest_exec command execution
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
QEMU's Machine Protocol (QMP) is designed to enable remote applications (ex. Libvirt) to control and manage QEMU process instances. QEMU Guest-Agent is a daemon program which helps remote applications (ex. Libvirt) to run commands on the guest VM, it supports QMP commands. It
Debian
CVE-2019-12929: qemu - The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command inje...
vendor_debian·2019·CVSS 9.8
CVE-2019-12929 [CRITICAL] CVE-2019-12929: qemu - The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command inje...
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
GHSA-mmfj-9vc2-fw9p: The QMP guest_exec command in QEMU 4
ghsa_unreviewed·2022-05-24
CVE-2019-12929 [CRITICAL] CWE-668 GHSA-mmfj-9vc2-fw9p: The QMP guest_exec command in QEMU 4
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
OSV
CVE-2019-12929: The QMP guest_exec command in QEMU 4
osv·2019-06-24·CVSS 9.8
CVE-2019-12929 [CRITICAL] CVE-2019-12929: The QMP guest_exec command in QEMU 4
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-12929 qemu: QEMU guest agent guest_exec command execution [epel-7]
bugzilla·2019-06-27·CVSS 9.8
CVE-2019-12929 [CRITICAL] CVE-2019-12929 qemu: QEMU guest agent guest_exec command execution [epel-7]
CVE-2019-12929 qemu: QEMU guest agent guest_exec command execution [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg
Bugzilla
CVE-2019-12929 qemu: QEMU guest agent guest_exec command execution [fedora-all]
bugzilla·2019-06-27·CVSS 9.8
CVE-2019-12929 [CRITICAL] CVE-2019-12929 qemu: QEMU guest agent guest_exec command execution [fedora-all]
CVE-2019-12929 qemu: QEMU guest agent guest_exec command execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versio
Bugzilla
CVE-2019-12929 QEMU: guest agent guest_exec command execution
bugzilla·2019-06-27·CVSS 9.8
CVE-2019-12929 [CRITICAL] CVE-2019-12929 QEMU: guest agent guest_exec command execution
CVE-2019-12929 QEMU: guest agent guest_exec command execution
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/
Discussion:
Created qemu tracking bugs for this issue:
Affects: epel-7 [bug 1724810]
Affects: fedora-all [bug 1724811]
---
The purpose of the guest-exec command in QMP is to allow the passing of commands to the guest to be executed by the guest. It is a documented part of the QMP interface between the host and the guest for the management of the guest. In the documentation [1] the functions description is "Execute a co
2019-06-24
Published