A privilege escalation vulnerability was found in the QEMU Guest Agent service for Windows. A local unprivileged user is able to manipulate the QEMU Guest Agent's Windows installer (via repair custom actions) to elevate their privileges to the SYSTEM account within the guest. Note: this is not a VM escape flaw, meaning that it does *not* allow a malicious user to break out of the guest. It affects Windows VMs using virtio-win drivers with QEMU Guest Agent installed in the guest.
Upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg01445.html
Technical details: The cached installer for QEMU Guest Agent in c:\windows\installer (https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs) , can be leveraged to begin a repair of the installation without validation that the repair is being performed by an administrative user. The MSI repair custom action "RegisterCom" and "UnregisterCom" is not set for impersonation which allows for the actions to occur as the SYSTEM account (LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe to run qemu-ga.exe in line 134 and 142 which causes an interactive command shell to spawn even though the MSI is set to be non-interactive on line 53. Red Hat would like to thank Brian Wiltse for reporting this issue.
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2175700]
Upstream commits: https://gitlab.com/qemu-project/qemu/-/commit/88288c2a51faa7c795f053fc8b31b1c16ff804c5 https://gitlab.com/qemu-project/qemu/-/commit/07ce178a2b0768eb9e712bb5ad0cf6dc7fcf0158