Home > Cyber News > CVE-2019-14378: QEMU Vulnerability Allows Virtual Machine Escape

CVE-2019-14378: QEMU Vulnerability Allows Virtual Machine Escape

CVE-2019-14378 is a new vulnerability in QEMU, an open-source hardware virtualization package.

QEMU emulates a machine’s processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest operating systems.

The recently disclosed vulnerability could allow attackers to carry out the so-called virtual machine escape by attacking the host OS running QEMU.

CVE-2019-14378 – Technical Details and Impact

According to the official description, the vulnerability is “a heap buffer overflow issue” which was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in the ip_reass() routine while reassembling incoming packets, in case the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service condition, or potentially executing arbitrary code with privileges of the QEMU process.

Related: [wplinkpreview url=”https://sensorstechforum.com/cve-2019-15107-webmin/”] CVE-2019-15107: Remote Code Execution Vulnerability in Webmin

In terms of its impact, the vulnerability endangers providers of cloud-hosted virtual machines that use QEMU for virtualization. The good news is that there is no indication that it was exploited in actual attacks, as the flaw was discovered during a code audit by researcher Vishnu Dev. It also should be noted that a successful exploit requires bypassing ASLR and PIE.

The good news is that a patch is available. Details of the CVE-2019-14378 vulnerability were made public four weeks after the patch was released.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree