2167423 – (CVE-2023-0664) CVE-2023-0664 QEMU: local privilege escalation via the QEMU Guest Agent on Windows

Bug 2167423 (CVE-2023-0664) - CVE-2023-0664 QEMU: local privilege escalation via the QEMU Guest Agent on Windows

Summary: CVE-2023-0664 QEMU: local privilege escalation via the QEMU Guest Agent on Wi...

Keywords:
Status:	NEW
Alias:	CVE-2023-0664
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Yvugenfi@redhat.com
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2167436 2168242 2175700 2178028
Blocks:	2156568
TreeView+	depends on / blocked

Reported:	2023-02-06 15:30 UTC by Mauro Matteo Cascella
Modified:	2024-03-11 07:21 UTC (History)
CC List:	11 users (show)
Fixed In Version:	qemu-kvm 8.0.0-rc0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2023-02-06 15:30:33 UTC

A privilege escalation vulnerability was found in the QEMU Guest Agent service for Windows. A local unprivileged user is able to manipulate the QEMU Guest Agent's Windows installer (via repair custom actions) to elevate their privileges to the SYSTEM account within the guest.

Note: this is not a VM escape flaw, meaning that it does *not* allow a malicious user to break out of the guest. It affects Windows VMs using virtio-win drivers with QEMU Guest Agent installed in the guest.

Comment 4 Mauro Matteo Cascella 2023-02-21 08:56:02 UTC

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg01445.html

Comment 5 Mauro Matteo Cascella 2023-02-21 09:22:49 UTC

Technical details: The cached installer for QEMU Guest Agent in c:\windows\installer (https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs) , can be leveraged to begin a repair of the installation without validation that the repair is being performed by an administrative user. The MSI repair custom action "RegisterCom" and "UnregisterCom" is not set for impersonation which allows for the actions to occur as the SYSTEM account (LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages cmd.exe to run qemu-ga.exe in line 134 and 142 which causes an interactive command shell to spawn even though the MSI is set to be non-interactive on line 53.

Red Hat would like to thank Brian Wiltse for reporting this issue.

Comment 6 Mauro Matteo Cascella 2023-03-06 11:17:29 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2175700]

Comment 7 Mauro Matteo Cascella 2023-03-13 11:06:43 UTC

Upstream commits:
https://gitlab.com/qemu-project/qemu/-/commit/88288c2a51faa7c795f053fc8b31b1c16ff804c5
https://gitlab.com/qemu-project/qemu/-/commit/07ce178a2b0768eb9e712bb5ad0cf6dc7fcf0158

Comment 16 Velint 2023-11-15 07:58:35 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 17 Yvugenfi@redhat.com 2023-11-19 12:58:06 UTC

(In reply to Velint from comment #16)
> The vulnerability you described is a serious concern and should be addressed
> promptly. It allows a local unprivileged user within a Windows VM to elevate
> their privileges to the SYSTEM account, which could enable them to perform
> malicious actions within the guest environment. Play
> https://basketballrandom.com with your friend now!

It was already fixed upstream and downstream.

Comment 18 evawillms 2024-03-08 07:06:19 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 19 evawillms 2024-03-08 07:06:42 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 20 evawillms 2024-03-08 07:07:16 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Note You need to log in before you can comment on or make changes to this bug.