Описание
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
A use-after-free flaw was found in the way QEMU's IDE AHCI emulator processed certain AHCI Native Command Queuing (NCQ) AIO commands. A privileged guest user could use this flaw to crash the QEMU process instance or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
Отчет
The vector of exploit requires to enable TIOCSTI with sysctl, because it is by default disabled since RHEL9 and on. Then, the user would have to be in root terminal, from there the user would have to run a malicious app that would use TIOCSTI to jump out of the child non-root shell back to the parent root shell.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | kvm | Not affected | ||
| Red Hat Enterprise Linux 5 | xen | Not affected | ||
| Red Hat Enterprise Linux 6 | qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 6 | qemu-kvm-rhev | Not affected | ||
| Red Hat Enterprise Linux 7 | qemu-kvm | Affected | ||
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | qemu-kvm-rhev | Not affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | qemu-kvm-rhev | Affected | ||
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 | qemu-kvm-rhev | Fixed | RHSA-2016:0086 | 28.01.2016 |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | qemu-kvm-rhev | Fixed | RHSA-2016:0087 | 28.01.2016 |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | qemu-kvm-rhev | Fixed | RHSA-2016:0088 | 28.01.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
4 Medium
CVSS2
Связанные уязвимости
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with ...
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
Уязвимость эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
EPSS
4 Medium
CVSS2