Bug 1139671 - (CVE-2019-12929) VUL-0: CVE-2019-12929: kvm,qemu: qemu: QEMU guest agent guest_exec command execution
(CVE-2019-12929)
VUL-0: CVE-2019-12929: kvm,qemu: qemu: QEMU guest agent guest_exec command ex...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Critical
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/235640/
CVSSv3:RedHat:CVE-2019-12929:0.0:(AV:...
:
Depends on:
Blocks: 1140123
  Show dependency treegraph
 
Reported: 2019-06-28 07:35 UTC by Marcus Meissner
Modified: 2019-10-24 08:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-06-28 07:35:55 UTC
rh#1724809

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.

https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1724809
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12929
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12929.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12929
https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/
Comment 1 Marcus Meissner 2019-07-08 08:25:11 UTC
SLE 12 SP2 qemu and newer.
Comment 2 Liang Yan 2019-07-22 16:48:55 UTC
This one has also been modified as "DISPUTED". 

Red Hat thought Guest Agent should be used by trust users and applications. TCP server socket is the only transport option supported by QMP, local UNIX socket could not used and more secure.

If one could run 'guest_exec' command, it means the user already has the access to the VM, so it should not be a security issue, or say security issue already existed.

The other sides, loca Unix Socket for libvirt, the socket also has the same user as qemu process managed by libvirt. Libvirt also provide a unique per-VM sVirt label to distinguish users even has same system user-id.
Comment 5 Marcus Meissner 2019-10-24 08:55:16 UTC
We agree with the dispute.