Bug 2167423 (CVE-2023-0664) - CVE-2023-0664 QEMU: local privilege escalation via the QEMU Guest Agent on Windows
Summary: CVE-2023-0664 QEMU: local privilege escalation via the QEMU Guest Agent on Wi...
Keywords:
Status: NEW
Alias: CVE-2023-0664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Yvugenfi@redhat.com
QA Contact:
URL:
Whiteboard:
Depends On: 2167436 2168242 2175700 2178028
Blocks: 2156568
TreeView+ depends on / blocked
 
Reported: 2023-02-06 15:30 UTC by Mauro Matteo Cascella
Modified: 2024-03-11 07:21 UTC (History)
11 users (show)

Fixed In Version: qemu-kvm 8.0.0-rc0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-02-06 15:30:33 UTC
A privilege escalation vulnerability was found in the QEMU Guest Agent service for Windows. A local unprivileged user is able to manipulate the QEMU Guest Agent's Windows installer (via repair custom actions) to elevate their privileges to the SYSTEM account within the guest.

Note: this is not a VM escape flaw, meaning that it does *not* allow a malicious user to break out of the guest. It affects Windows VMs using virtio-win drivers with QEMU Guest Agent installed in the guest.

Comment 4 Mauro Matteo Cascella 2023-02-21 08:56:02 UTC
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg01445.html

Comment 5 Mauro Matteo Cascella 2023-02-21 09:22:49 UTC
Technical details: The cached installer for QEMU Guest Agent in c:\windows\installer (https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs) , can be leveraged to begin a repair of the installation without validation that the repair is being performed by an administrative user. The MSI repair custom action "RegisterCom" and "UnregisterCom" is not set for impersonation which allows for the actions to occur as the SYSTEM account (LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe to run qemu-ga.exe in line 134 and 142 which causes an interactive command shell to spawn even though the MSI is set to be non-interactive on line 53.

Red Hat would like to thank Brian Wiltse for reporting this issue.

Comment 6 Mauro Matteo Cascella 2023-03-06 11:17:29 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2175700]

Comment 16 Velint 2023-11-15 07:58:35 UTC Comment hidden (spam)
Comment 17 Yvugenfi@redhat.com 2023-11-19 12:58:06 UTC
(In reply to Velint from comment #16)
> The vulnerability you described is a serious concern and should be addressed
> promptly. It allows a local unprivileged user within a Windows VM to elevate
> their privileges to the SYSTEM account, which could enable them to perform
> malicious actions within the guest environment. Play
> https://basketballrandom.com with your friend now!

It was already fixed upstream and downstream.

Comment 18 evawillms 2024-03-08 07:06:19 UTC Comment hidden (spam)
Comment 19 evawillms 2024-03-08 07:06:42 UTC Comment hidden (spam)
Comment 20 evawillms 2024-03-08 07:07:16 UTC Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.