QEMU VM Escape Vulnerability

QEMU VM Escape Vulnerability (CVE-2020-14364) Threat Alert

September 18, 2020

Vulnerability Description

On August 24, QEMU released a security patch to fix a VM escape vulnerability (CVE-2020-14364) which is the result of an out-of-bounds read/write access issue in the USB emulator in QEMU. This vulnerability resides in ./hw/usb/core.c. When the program handles USB packets from a guest, this vulnerability is deemed to exist if USBDevice ‘setup_len’ exceeds its ‘data_buf[4096]’ in the do_token_in and do_token_out routines. An attacker could exploit this vulnerability to cause out-of-bounds read of the 0xffffffff contents following the heap, forcibly terminating the virtual process and realizing VM escape.

(more…)

QEMU VM Escape Vulnerability (CVE-2019-14378) Threat Alert

September 9, 2019

Overview

Recently, a security researcher disclosed a heap-based buffer overflow vulnerability (CVE-2019-14378) in the SLiRP networking backend in the QEMU emulator. An attacker could exploit this vulnerability to crash the QEMU process on a host machine, resulting in a denial of service, or possibly execute arbitrary code with privileges of the QEMU process. (more…)