CVE-2023-4135

Out-of-bounds read information disclosure vulnerability

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.

Se encontró una falla de lectura de memoria fuera de los límites en el dispositivo nvme virtual en QEMU. El proceso QEMU no valida un desplazamiento proporcionado por el invitado antes de calcular un puntero de la memoria del host, que se utiliza para copiar datos al invitado. Se puede revelar memoria arbitraria en relación con un búfer asignado.

This vulnerability allows local attackers to disclose sensitive information on affected installations of QEMU. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.
The specific flaw exists within the NVMe virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the hypervisor.

*Credits: Red Hat would like to thank Trend Micro Zero Day Initiative for reporting this issue.

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-03 CVE Reserved
2023-08-04 CVE Published
2023-08-05 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (4)

URL	Tag	Source
https://access.redhat.com/security/cve/CVE-2023-4135	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230915-0012	Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521	Broken Link

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2229101	2023-12-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				>= 8.0.0 < 8.1.0 Search vendor "Qemu" for product "Qemu" and version " >= 8.0.0 < 8.1.0"		-		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				8.1.0 Search vendor "Qemu" for product "Qemu" and version "8.1.0"		rc0		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				8.1.0 Search vendor "Qemu" for product "Qemu" and version "8.1.0"		rc1		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				8.1.0 Search vendor "Qemu" for product "Qemu" and version "8.1.0"		rc2		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected