CVE-2018-12617

QEMU Guest Agent 2.12.50 - Denial of Service

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.

qmp_guest_file_read en qga/commands-posix.c y qga/commands-win32.c en qemu-ga (también conocido como QEMU Guest Agent) en QEMU 2.12.50 tiene un desbordamiento de enteros que provoca que una llamada g_malloc0() desencadene un fallo de segmentación al intentar asignar un gran fragmento de memoria. La vulnerabilidad puede ser explotada mediante el envío de un comando QMP manipulado (incluyendo guest-file-read con un valor largo de conteo) al agente mediante el socket en escucha.

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. It was discovered that QEMU incorrectly handled the Slirp networking back-end. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Various other issues were also addressed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-06-21 CVE Reserved
2018-06-21 CVE Published
2018-06-22 First Exploit
2024-08-05 CVE Updated
2025-04-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (9)

URL	Tag	Source
http://www.securityfocus.com/bid/104531	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00041.html	Mailing List
https://seclists.org/bugtraq/2019/May/76	Mailing List

URL	Date	SRC
https://packetstorm.news/files/id/148284	2018-06-22
https://www.exploit-db.com/exploits/44925	2024-08-05
https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6	2024-08-05

URL	Date	SRC
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html	2020-11-19

URL	Date	SRC
https://usn.ubuntu.com/3826-1	2020-11-19
https://www.debian.org/security/2019/dsa-4454	2020-11-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				<= 2.12.50 Search vendor "Qemu" for product "Qemu" and version " <= 2.12.50"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected