Bug 2247283 (CVE-2023-5088) - CVE-2023-5088 QEMU: improper IDE controller reset can lead to MBR overwrite
Summary: CVE-2023-5088 QEMU: improper IDE controller reset can lead to MBR overwrite
Keywords:
Status: NEW
Alias: CVE-2023-5088
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2247771 2247792
Blocks: 2239866
TreeView+ depends on / blocked
 
Reported: 2023-10-31 17:50 UTC by Mauro Matteo Cascella
Modified: 2024-05-22 09:22 UTC (History)
10 users (show)

Fixed In Version: qemu-kvm 8.2.0
Doc Type: If docs needed, set a value
Doc Text:
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2135 0 None None None 2024-04-30 09:35:46 UTC
Red Hat Product Errata RHSA-2024:2962 0 None None None 2024-05-22 09:22:20 UTC

Description Mauro Matteo Cascella 2023-10-31 17:50:01 UTC
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.

References:
https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T/
https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html

Comment 1 Mauro Matteo Cascella 2023-11-03 10:03:32 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2247771]

Comment 3 John Ferlan 2023-11-03 16:39:24 UTC
Unclear why this CVE was created considering we don't officially support nested virtualization unless there's a support exception, see:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_virtualization/creating-nested-virtual-machines_configuring-and-managing-virtualization

I left the needinfo to help answer that...


Beyond that it's debatable this actually reaches the level of a medium severity.

The referenced upstream patch was not accepted and debate has moved on to:

https://lore.kernel.org/qemu-devel/20230906130922.142845-1-f.ebner@proxmox.com/T/#u

As it was felt to be a more reasonable solution. The update will be placed into a pull request, see:

https://lore.kernel.org/qemu-devel/ab6655b0-a6cf-4c19-56d2-e1cb0e6ac72b@linaro.org/

Comment 4 Mauro Matteo Cascella 2023-11-03 19:28:26 UTC
Hi John,

> Unclear why this CVE was created considering we don't officially support
> nested virtualization unless there's a support exception, see:
> 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/
> html/configuring_and_managing_virtualization/creating-nested-virtual-
> machines_configuring-and-managing-virtualization
> 
> I left the needinfo to help answer that...

This issue was originally reported by Simon Rowe (Nutanix) to qemu-security ML. It got stuck for some time and eventually evaluated to be CVE worthy. John Snow (QEMU IDE maintainer) was involved in the discussion.

We (ProdSec) care about tracking and reporting all security issues within software that is shipped by Red Hat, even when Tech Preview. This is because we'd want to fix CVEs before moving from Tech Preview to Fully Supported. Obviously Tech Preview has a bearing on RH flaw severity, and we leave fix decisions to Engineering as per their life-cycle policies.
 
> Beyond that it's debatable this actually reaches the level of a medium
> severity.

Moderate seemed a good compromise between potentially bad impact (bootloader overwrite) and Tech Preview policy.

> The referenced upstream patch was not accepted and debate has moved on to:
> 
> https://lore.kernel.org/qemu-devel/20230906130922.142845-1-f.ebner@proxmox.
> com/T/#u
> 
> As it was felt to be a more reasonable solution. The update will be placed
> into a pull request, see:
> 
> https://lore.kernel.org/qemu-devel/ab6655b0-a6cf-4c19-56d2-
> e1cb0e6ac72b/

Thanks for the update.

Comment 5 Mauro Matteo Cascella 2023-11-03 19:54:32 UTC
Statement:

Red Hat currently provides the nested virtualization feature as a Technology Preview. Nested virtualization is therefore unsupported for production use. For more information please refer to https://access.redhat.com/solutions/21101 and https://access.redhat.com/support/offerings/techpreview.

Comment 6 John Ferlan 2023-11-06 16:06:22 UTC
FWIW: IDE/SATA is really low on the priority list of things John has time to work.

We've been trying to find someone from the community to pick it up for quite a while now - no takers.

It's really old technology and the issue reads like a corner case of what anyone could possibly do, hence why I question "medium".

Philippe has posted the PR for QEMU, but did not reference the CVE# in the PR

https://lore.kernel.org/qemu-devel/20231106110336.358-48-philmd@linaro.org/
https://lore.kernel.org/qemu-devel/20231106110336.358-49-philmd@linaro.org/

These should land in qemu-8.2

Comment 8 errata-xmlrpc 2024-04-30 09:35:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2135

Comment 9 errata-xmlrpc 2024-05-22 09:22:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2962 https://access.redhat.com/errata/RHSA-2024:2962


Note You need to log in before you can comment on or make changes to this bug.