CVE-2019-14378 is a new vulnerability in QEMU, an open-source hardware virtualization package.
QEMU emulates a machine’s processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest operating systems.
The recently disclosed vulnerability could allow attackers to carry out the so-called virtual machine escape by attacking the host OS running QEMU.
CVE-2019-14378 – Technical Details and Impact
According to the official description, the vulnerability is “a heap buffer overflow issue” which was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in the ip_reass() routine while reassembling incoming packets, in case the first fragment is bigger than the m->m_dat buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service condition, or potentially executing arbitrary code with privileges of the QEMU process.
In terms of its impact, the vulnerability endangers providers of cloud-hosted virtual machines that use QEMU for virtualization. The good news is that there is no indication that it was exploited in actual attacks, as the flaw was discovered during a code audit by researcher Vishnu Dev. It also should be noted that a successful exploit requires bypassing ASLR and PIE.
The good news is that a patch is available. Details of the CVE-2019-14378 vulnerability were made public four weeks after the patch was released.