QEMU曝虚拟机逃逸漏洞,可直接控制底层物理机

QEMU CXL Type-3 设备仿真模块被曝出名为“QEMUtiny”的漏洞链。具备 Guest 系统 Root 权限的攻击者,可利用该漏洞实现虚拟机逃逸,获取宿主机进程甚至宿主机 Root 权限,风险较高(暂无 CVE 编号)。漏洞原理该漏洞链源于 CXL mailbox 逻辑(hw/cxl/cxl-mailbox-utils.c)中的两个致命缺陷:

  1. 越界读(GET_LOG):指针运算错误,导致泄露宿主机内存地址。
  2. 越界写(SET_FEATURE):边界检查缺失,允许破坏设备对象字段,进而劫持程序执行流。影响范围仅影响启用了 CXL 支持(启动参数含 cxl=on、cxl-type3等)且向 Guest 暴露了该设备的 QEMU 实例。普通 QEMU 虚拟机及物理 CXL 硬件不受影响。安全建议
  3. 排查参数:检查 QEMU 启动配置,移除不必要的 CXL 相关参数。
  4. 切断暴露:严禁向不可信的 Guest 虚拟机暴露 CXL Type-3 设备。
  5. 隔离降险:临时禁用该仿真功能,或仅在严格隔离的测试环境中使用。

---https://www.altusintel.com/public-yyr4wj/?tt=1778864416的描述

Researchers have recently uncovered vulnerabilities in QEMU that allow a guest system to gain root access to the host environment, following their identification of the Fragnesia vulnerability in the Linux kernel. The issue has been dubbed QEMUtiny, although it has not yet been assigned a CVE ID. An exploit has been developed, which exploits two vulnerabilities in the device emulation code CXL (Compute Express Link).

Both vulnerabilities have been found in the code cxl-mailbox-utils.c. The first vulnerability, present since QEMU 7.1.0, results in memory reading from an area outside the allocated buffer due to an indexing error in the cmd_logs_get_log() function. The second vulnerability, starting from QEMU 11.0.0, leads to a buffer overflow in the cmd_features_set_feature() function due to mishandling of offsets on structures.

The attack is only feasible on the latest branch of QEMU 11.0.0. QEMU developers have not yet revealed any information regarding a fix for these vulnerabilities. Prior to disclosing the issue, researchers informed the developers, who mentioned that support for the CXL device in QEMU was not intended for virtualization.

The exploit was tested using the QEMU codebase from May 11 with the latest commit 5e61afe. The exploit’s functionality relies on the memory structure of each specific QEMU build and system libc. Researchers believe that by leveraging the vulnerability leading to unauthorized memory access, a universal exploit can be crafted for various QEMU versions.