CVE-2018-17958
📋 TL;DR
CVE-2018-17958 is a buffer overflow vulnerability in QEMU's RTL8139 network device emulation due to an incorrect integer data type. This allows attackers to execute arbitrary code or cause denial of service on the host system. Affected systems include those running vulnerable versions of QEMU with RTL8139 network device emulation enabled.
💻 Affected Systems
- QEMU
- KVM with QEMU
- libvirt with QEMU
- Red Hat Virtualization
- oVirt
- Proxmox VE
📦 What is this software?
Qemu by Qemu
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Full host compromise through arbitrary code execution on the QEMU host, potentially leading to complete virtualization environment takeover.
Likely Case
Denial of service (QEMU process crash) or limited code execution within the QEMU process context.
If Mitigated
No impact if RTL8139 network device is not used or proper network segmentation/isolation is in place.
🎯 Exploit Status
Exploitation requires network access to the virtual machine's network interface. Proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: QEMU 2.12.1, 3.0.1, or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2425
Restart Required: Yes
Instructions:
1. Update QEMU package to version 2.12.1 or 3.0.1+. 2. Restart all affected virtual machines. 3. Verify the fix by checking QEMU version.
🔧 Temporary Workarounds
Disable RTL8139 network device
linuxSwitch from RTL8139 to virtio-net or other network device emulation
virsh edit <vm_name> # Change network model from 'rtl8139' to 'virtio'
Network segmentation
allIsolate virtual machines using RTL8139 from untrusted networks
🧯 If You Can't Patch
- Disable RTL8139 network device emulation and use virtio-net instead
- Implement strict network segmentation and firewall rules for affected VMs
🔍 How to Verify
Check if Vulnerable:
Check QEMU version: qemu-system-x86_64 --version | grep -E '2\.(1[0-2]|0\.)|3\.0\.0'Check Version:
qemu-system-x86_64 --version | head -1Verify Fix Applied:
Verify QEMU version is 2.12.1, 3.0.1 or later: qemu-system-x86_64 --version📡 Detection & Monitoring
Log Indicators:
- QEMU process crashes
- Kernel logs showing segmentation faults in QEMU process
- Unexpected network traffic patterns to/from VMs
Network Indicators:
- Unusual network packets targeting RTL8139 emulated interfaces
- Exploit-specific network patterns
SIEM Query:
process_name:"qemu-system" AND (event_type:crash OR exit_code:139)🔗 References
- http://www.openwall.com/lists/oss-security/2018/10/08/1
- http://www.securityfocus.com/bid/105556
- https://access.redhat.com/errata/RHSA-2019:2425
- https://access.redhat.com/errata/RHSA-2019:2553
- https://lists.debian.org/debian-lts-announce/2019/01/msg00023.html
- https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html
- https://seclists.org/bugtraq/2019/May/76
- https://usn.ubuntu.com/3826-1/
- https://www.debian.org/security/2019/dsa-4454
- http://www.openwall.com/lists/oss-security/2018/10/08/1
- http://www.securityfocus.com/bid/105556
- https://access.redhat.com/errata/RHSA-2019:2425
- https://access.redhat.com/errata/RHSA-2019:2553
- https://lists.debian.org/debian-lts-announce/2019/01/msg00023.html
- https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html
- https://seclists.org/bugtraq/2019/May/76
- https://usn.ubuntu.com/3826-1/
- https://www.debian.org/security/2019/dsa-4454
