QEMU 'tcp_subr.c' Local Heap Buffer Overflow Vulnerability

Bugtraq ID:	106758
Class:	Boundary Condition Error
CVE:	CVE-2019-6778
Remote:	No
Local:	Yes
Published:	Jan 24 2019 12:00AM
Updated:	Jun 17 2019 05:00AM
Credit:	Kira (Tencent Keen Security Lab)
Vulnerable:	Redhat OpenStack Platform 9.0 Redhat OpenStack Platform 8.0 (Liberty) Redhat OpenStack Platform 14 Redhat OpenStack Platform 13 Redhat OpenStack Platform 10 Redhat Enterprise Linux 7 Redhat Enterprise Linux 6 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 QEMU QEMU 0
Not Vulnerable:

QEMU 'tcp_subr.c' Local Heap Buffer Overflow Vulnerability

QEMU is prone to a local heap-based buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user supplied data.

An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.

QEMU 'tcp_subr.c' Local Heap Buffer Overflow Vulnerability

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

QEMU 'tcp_subr.c' Local Heap Buffer Overflow Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

QEMU 'tcp_subr.c' Local Heap Buffer Overflow Vulnerability

References:

• Exploit for CVE-2019-6778 (Kira-cxy/qemu-vm-escape)
  
• QEMU Homepage (QEMU)
  
• [Qemu-devel] [PULL 65/65] slirp: check data length while emulating ident (GNU)
  
• Bug 1664205 CVE-2019-6778 QEMU: slirp: heap buffer overflow in tcp_emu() (Redhat)
  
• CVE-2019-6778 (Redhat)