CVE-2019-14378
published 2019-07-29CVE-2019-14378: ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
PriorityP268high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.66%
96.6th percentile
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qemu | < qemu 1:4.1-1 (bookworm) | qemu 1:4.1-1 (bookworm) |
| debian | slirp4netns | < qemu 1:4.1-1 (bookworm) | qemu 1:4.1-1 (bookworm) |
| libslirp_project | libslirp | — | — |
| qemu | qemu | >= 0 < 1:4.1-1 | 1:4.1-1 |
| qemu | qemu | >= 0 < 1:4.1-1 | 1:4.1-1 |
| qemu | qemu | >= 0 < 1:4.1-1 | 1:4.1-1 |
| qemu | qemu | >= 0 < 1:4.1-1 | 1:4.1-1 |
| qemu | qemu | >= 0 < 1:2.5+dfsg-5ubuntu10.42 | 1:2.5+dfsg-5ubuntu10.42 |
| qemu | qemu | >= 0 < 1:2.11+dfsg-1ubuntu7.20 | 1:2.11+dfsg-1ubuntu7.20 |
| qemu | qemu | >= 0 < 2.0.0+dfsg-2ubuntu1.47 | 2.0.0+dfsg-2ubuntu1.47 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability triggers in ip_reass() when the first IP fragment is larger than the m->m_dat[] buffer. Monitor for oversized first IP fragments (IP_MF flag set, fragment offset 0) with total length exceeding normal MTU bounds sent toward QEMU SLiRP interface (guest-to-host direction, dst 10.0.2.2). ↗
- →The exploit uses a minimum MTU threshold of 12000 bytes and crafts oversized fragmented ICMP packets. Detect fragmented ICMP packets with abnormally large payload sizes (>12000 bytes reconstructed) originating from within a QEMU guest on the SLiRP network. ↗
- →The exploit sends raw Ethernet frames with crafted IP fragmentation sequences (IP_MF flag) using IPPROTO_ICMP. Detect sequences of fragmented ICMP packets with the same IP ID from a single source in rapid succession, particularly where the first fragment's tot_len field encodes a negative or anomalous value. ↗
- →The exploit targets the QEMU SLiRP default gateway address 10.0.2.2 from the guest address 10.0.2.15. Alert on high-rate fragmented IP traffic from 10.0.2.15 to 10.0.2.2 within a QEMU guest network namespace. ↗
- →The exploit uses a crafted ICMP echo reply with checksum 0xffff as a side-channel to leak heap/code pointers. Detect ICMP echo replies with checksum value 0xffff on the SLiRP interface as a potential indicator of exploitation in progress. ↗
- ·The vulnerability only affects QEMU instances using SLiRP (KVM user-mode networking). Deployments using other network backends (e.g., virtio with TAP) are not affected. Red Hat OpenStack Platform is explicitly noted as not vulnerable because it does not use SLIRP networking. ↗
- ·The exploit PoC hardcodes QEMU binary symbol offsets (e.g., SYSTEM_PLT, QEMU_CLOCK, MAIN_LOOP_TLG). These offsets are build-specific and will vary across QEMU versions and distributions, limiting direct reuse of the exploit without adaptation. ↗
- ·There is no external mitigation available to prevent this out-of-bounds heap memory access; patching to libslirp >= 4.1-1 (commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210) is the only fix. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu3.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qvqc-h5c8-h785: ip_reass in ip_input
ghsa_unreviewed·2022-05-24
CVE-2019-14378 [HIGH] GHSA-qvqc-h5c8-h785: ip_reass in ip_input
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
OSV
qemu vulnerabilities
osv·2019-11-14·CVSS 3.8
CVE-2019-12068 [LOW] qemu vulnerabilities
qemu vulnerabilities
USN-4191-2 fixed a vulnerability in QEMU. This update provides the
corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that the LSI SCSI adapter emulator implementation in QEMU
did not properly validate executed scripts. A local attacker could use this
to cause a denial of service. (CVE-2019-12068)
Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the
qxl paravirtual graphics driver implementation in QEMU contained a null
pointer dereference. A local attacker in a guest could use this to cause a
denial of service. (CVE-2019-12155)
Riccardo Schirone discovered that the QEMU bridge helper did not properly
validate network interface names. A local attacker could possibly use this
to bypass ACL restrictions. (CV
OSV
qemu vulnerabilities
osv·2019-11-14·CVSS 3.8
CVE-2019-12068 [LOW] qemu vulnerabilities
qemu vulnerabilities
It was discovered that the LSI SCSI adapter emulator implementation in QEMU
did not properly validate executed scripts. A local attacker could use this
to cause a denial of service. (CVE-2019-12068)
Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the
qxl paravirtual graphics driver implementation in QEMU contained a null
pointer dereference. A local attacker in a guest could use this to cause a
denial of service. (CVE-2019-12155)
Riccardo Schirone discovered that the QEMU bridge helper did not properly
validate network interface names. A local attacker could possibly use this
to bypass ACL restrictions. (CVE-2019-13164)
It was discovered that a heap-based buffer overflow existed in the SLiRP
networking implementation of QEMU. A local attacker
OSV
CVE-2019-14378: ip_reass in ip_input
osv·2019-07-29·CVSS 8.8
CVE-2019-14378 [HIGH] CVE-2019-14378: ip_reass in ip_input
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
Ubuntu
QEMU vulnerabilities
vendor_ubuntu·2019-11-14·CVSS 3.8
CVE-2019-12068 [LOW] QEMU vulnerabilities
Title: QEMU vulnerabilities
Summary: Several security issues were fixed in QEMU.
USN-4191-2 fixed a vulnerability in QEMU. This update provides the
corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that the LSI SCSI adapter emulator implementation in QEMU
did not properly validate executed scripts. A local attacker could use this
to cause a denial of service. (CVE-2019-12068)
Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the
qxl paravirtual graphics driver implementation in QEMU contained a null
pointer dereference. A local attacker in a guest could use this to cause a
denial of service. (CVE-2019-12155)
Riccardo Schirone discovered that the QEMU bridge helper did not properly
validate network interface names. A local att
Ubuntu
QEMU vulnerabilities
vendor_ubuntu·2019-11-14·CVSS 3.8
CVE-2019-12068 [LOW] QEMU vulnerabilities
Title: QEMU vulnerabilities
Summary: Several security issues were fixed in QEMU.
It was discovered that the LSI SCSI adapter emulator implementation in QEMU
did not properly validate executed scripts. A local attacker could use this
to cause a denial of service. (CVE-2019-12068)
Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the
qxl paravirtual graphics driver implementation in QEMU contained a null
pointer dereference. A local attacker in a guest could use this to cause a
denial of service. (CVE-2019-12155)
Riccardo Schirone discovered that the QEMU bridge helper did not properly
validate network interface names. A local attacker could possibly use this
to bypass ACL restrictions. (CVE-2019-13164)
It was discovered that a heap-based buffer overflow existed in
Red Hat
QEMU: slirp: heap buffer overflow during packet reassembly
vendor_redhat·2019-07-28·CVSS 8.8
CVE-2019-14378 [HIGH] CWE-122 QEMU: slirp: heap buffer overflow during packet reassembly
QEMU: slirp: heap buffer overflow during packet reassembly
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service or potentially executing arbitrary code with privileges of the QEMU process.
Statement: Red Hat OpenStack Platform:
* This flaw impacts KVM user-mode or SLIRP networking, which is not used in Red Hat OpenStack Platform. Although updating is re
Debian
CVE-2019-14378: qemu - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a ...
vendor_debian·2019·CVSS 8.8
CVE-2019-14378 [HIGH] CVE-2019-14378: qemu - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a ...
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
Scope: local
bookworm: resolved (fixed in 1:4.1-1)
bullseye: resolved (fixed in 1:4.1-1)
forky: resolved (fixed in 1:4.1-1)
sid: resolved (fixed in 1:4.1-1)
trixie: resolved (fixed in 1:4.1-1)
No detection rules found.
Bugzilla
CVE-2019-14378 qemu: slirp: heap buffer overflow during packet reassembly [fedora-all]
bugzilla·2019-08-01·CVSS 8.8
CVE-2019-14378 [HIGH] CVE-2019-14378 qemu: slirp: heap buffer overflow during packet reassembly [fedora-all]
CVE-2019-14378 qemu: slirp: heap buffer overflow during packet reassembly [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
bugzilla·2019-07-31·CVSS 8.8
CVE-2019-14378 [HIGH] CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
A heap buffer overflow issue was found in the SLiRP networking implementation
of the QEMU emulator. It occurs in ip_reass() routine while reassembling
incoming packets, if the first fragment is bigger than the m->m_dat[] buffer.
A user/process could use this flaw to crash the Qemu process on the host
resulting in DoS or potentially execute arbitrary code with privileges of the
QEMU process.
Upstream patch:
-> https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210
Reference:
-> https://www.openwall.com/lists/oss-security/2019/08/01/2
Discussion:
Acknowledgments:
Name: Vishnu Dev
---
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1735654]
---
State
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.htmlhttp://packetstormsecurity.com/files/154269/QEMU-Denial-Of-Service.htmlhttp://www.openwall.com/lists/oss-security/2019/08/01/2https://access.redhat.com/errata/RHSA-2019:3179https://access.redhat.com/errata/RHSA-2019:3403https://access.redhat.com/errata/RHSA-2019:3494https://access.redhat.com/errata/RHSA-2019:3742https://access.redhat.com/errata/RHSA-2019:3787https://access.redhat.com/errata/RHSA-2019:3968https://access.redhat.com/errata/RHSA-2019:4344https://access.redhat.com/errata/RHSA-2020:0366https://access.redhat.com/errata/RHSA-2020:0775https://blog.bi0s.in/2019/08/24/Pwn/VM-Escape/2019-07-29-qemu-vm-escape-cve-2019-14378/https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210https://lists.debian.org/debian-lts-announce/2019/09/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPLHB2AN663OXAWUQURF7J2X5LHD4VD3/https://news.ycombinator.com/item?id=20799010https://seclists.org/bugtraq/2019/Aug/41https://seclists.org/bugtraq/2019/Sep/3https://support.f5.com/csp/article/K25423748https://support.f5.com/csp/article/K25423748?utm_source=f5support&%3Butm_medium=RSShttps://usn.ubuntu.com/4191-1/https://usn.ubuntu.com/4191-2/https://www.debian.org/security/2019/dsa-4506https://www.debian.org/security/2019/dsa-4512http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.htmlhttp://packetstormsecurity.com/files/154269/QEMU-Denial-Of-Service.htmlhttp://www.openwall.com/lists/oss-security/2019/08/01/2https://access.redhat.com/errata/RHSA-2019:3179https://access.redhat.com/errata/RHSA-2019:3403https://access.redhat.com/errata/RHSA-2019:3494https://access.redhat.com/errata/RHSA-2019:3742https://access.redhat.com/errata/RHSA-2019:3787https://access.redhat.com/errata/RHSA-2019:3968https://access.redhat.com/errata/RHSA-2019:4344https://access.redhat.com/errata/RHSA-2020:0366https://access.redhat.com/errata/RHSA-2020:0775https://blog.bi0s.in/2019/08/24/Pwn/VM-Escape/2019-07-29-qemu-vm-escape-cve-2019-14378/https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210https://lists.debian.org/debian-lts-announce/2019/09/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPLHB2AN663OXAWUQURF7J2X5LHD4VD3/https://news.ycombinator.com/item?id=20799010https://seclists.org/bugtraq/2019/Aug/41https://seclists.org/bugtraq/2019/Sep/3https://support.f5.com/csp/article/K25423748https://support.f5.com/csp/article/K25423748?utm_source=f5support&%3Butm_medium=RSShttps://usn.ubuntu.com/4191-1/https://usn.ubuntu.com/4191-2/https://www.debian.org/security/2019/dsa-4506https://www.debian.org/security/2019/dsa-4512
2019-07-29
Published