QEMU Vulnerability Exposes The Host Through Emulated CD-ROM Drive
Back in May was the big "VENOM" security vulnerability affect QEMU whereby VM security could be escaped through QEMU's virtual floppy disk drive. In June was a PCNET controller buffer overflow allowing a guest to escape to have host access. Today there's a similar security vulnerability going public about its virtual CD-ROM drive.
The new issue, CVE-2015-5154, is about a heap overflow flaw while processing certain ATAPI commands. This flaw in QEMU's IDE subsystem could allow a privileged guest user in a guest with virtual/emulated CDROM drive execute arbitrary code on the host system. Basically if the IDE CDROM device is enabled for the guest, current versions of QEMU could be exploited to run code on the host with privileges the same as the QEMU process.
More details on CVE-2015-5154 via the announcement and there's currently patches for addressing this vulnerability via the QEMU-devel list.
The new issue, CVE-2015-5154, is about a heap overflow flaw while processing certain ATAPI commands. This flaw in QEMU's IDE subsystem could allow a privileged guest user in a guest with virtual/emulated CDROM drive execute arbitrary code on the host system. Basically if the IDE CDROM device is enabled for the guest, current versions of QEMU could be exploited to run code on the host with privileges the same as the QEMU process.
More details on CVE-2015-5154 via the announcement and there's currently patches for addressing this vulnerability via the QEMU-devel list.
9 Comments