CVE-2018-20815

QEMU: device_tree: heap buffer overflow while loading device tree blob

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.

En QEMU versión 3.1.0, la función load_device_tree en el archivo device_tree.c llama a la función en desuso load_image, que tiene un riesgo de desbordamiento de búfer.

A heap buffer overflow issue was found in the load_device_tree() function of QEMU, which is invoked to load a device tree blob at boot time. It occurs due to device tree size manipulation before buffer allocation, which could overflow a signed int type. A user/process could use this flaw to potentially execute arbitrary code on a host system with privileges of the QEMU process.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-26 CVE Reserved
2019-04-25 CVE Published
2024-08-05 CVE Updated
2025-04-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-122: Heap-based Buffer Overflow

CAPEC

References (14)

URL	Tag	Source
https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=da885fe1ee8b4589047484bd7fa05a4905b52b17	X_refsource_misc
https://seclists.org/bugtraq/2019/Aug/41	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:1667	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1723	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1743	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1881	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1968	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2507	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2553	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BOE3PVFPMWMXV3DGP2R3XIHAF2ZQU3FS	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVDHJB2QKXNDU7OFXIHIL5O5VN5QCSZL	2023-11-07
https://www.debian.org/security/2019/dsa-4506	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-20815	2019-08-22
https://bugzilla.redhat.com/show_bug.cgi?id=1693101	2019-08-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				3.1.0 Search vendor "Qemu" for product "Qemu" and version "3.1.0"		-		Affected