CVE-2020-35517 – This vulnerability allows a privileged guest us... (How to Fix)

Q: What is the severity of CVE-2020-35517?

CVE-2020-35517 has a CVSS score of 8.2 (HIGH). This vulnerability allows a privileged guest user in a QEMU virtual machine with virtio-fs shared directories to create device special files that provide read/write access to host devices. It affects systems running QEMU with virtio-fs enabled where untrusted guests have access to shared directories. This enables privilege escalation from guest to host.

📋 TL;DR

This vulnerability allows a privileged guest user in a QEMU virtual machine with virtio-fs shared directories to create device special files that provide read/write access to host devices. It affects systems running QEMU with virtio-fs enabled where untrusted guests have access to shared directories. This enables privilege escalation from guest to host.

💻 Affected Systems

Products:

QEMU
libvirt
virt-manager
OpenStack
oVirt
Proxmox VE
KVM virtualization stacks

Versions: QEMU versions before 5.2.0

Operating Systems: Linux distributions with QEMU/KVM virtualization

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when virtio-fs is enabled and shared directories are configured between host and guest. Not all QEMU installations use virtio-fs.

📦 What is this software?

Qemu by Qemu

View all CVEs affecting Qemu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious guest administrator can access sensitive host devices (like storage, memory, or network interfaces) leading to full host compromise, data theft, or denial of service.

🟠

Likely Case

Privileged guest users escape virtualization boundaries to access host filesystems or devices they shouldn't have access to, potentially modifying system files or accessing sensitive data.

🟢

If Mitigated

If proper access controls are in place and shared directories contain only non-sensitive data, impact is limited to the shared directory contents.

🌐 Internet-Facing: LOW - This requires local guest access and virtio-fs configuration, not directly internet-exposed.

🏢 Internal Only: HIGH - In virtualized environments with untrusted guests, this provides a path for guest-to-host privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires guest administrator privileges. Proof-of-concept code is available in the bug reports and patches.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QEMU 5.2.0 and later

Vendor Advisory: https://security.gentoo.org/glsa/202208-27

Restart Required: Yes

Instructions:

1. Update QEMU to version 5.2.0 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update qemu packages. 3. Restart affected virtual machines. 4. Verify virtio-fs daemon is updated.

🔧 Temporary Workarounds

Disable virtio-fs shared directories

linux

Remove or disable virtio-fs shared directory configurations between host and untrusted guests

# Edit VM configuration to remove virtio-fs shared directories
# Check for virtiofsd processes: ps aux | grep virtiofs
# Stop virtiofsd if not needed

Use alternative file sharing methods

linux

Replace virtio-fs with 9p filesystem or other secure sharing mechanisms

# Configure VM with -virtfs instead of -device virtio-fs-pci
# Example: -virtfs local,path=/shared,mount_tag=host0,security_model=mapped

🧯 If You Can't Patch

Isolate virtio-fs shared directories to contain only non-sensitive, non-critical data
Implement strict access controls and monitoring for guest users with shared directory access

🔍 How to Verify

Check if Vulnerable:

Check QEMU version and if virtio-fs is enabled: qemu-system-x86_64 --version | grep -E '5\.(0|1)\.' and check VM config for virtio-fs devices

Check Version:

qemu-system-x86_64 --version | head -1

Verify Fix Applied:

Verify QEMU version is 5.2.0+: qemu-system-x86_64 --version | grep -E '5\.2\.|6\.|7\.'

📡 Detection & Monitoring

Log Indicators:

Guest creating device nodes in shared directories
Unexpected access to host device files from virtiofsd process

Network Indicators:

Not network exploitable - local privilege escalation

SIEM Query:

process.name=virtiofsd AND file.path=/dev/* AND file.operation=create

📊 Metadata

CVE ID: CVE-2020-35517

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-269

Published: January 28, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1915823 Issue Tracking,Patch,Third Party Advisory
https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c Patch,Third Party Advisory
https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg05461.html Exploit,Mailing List,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210312-0002/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/01/22/1 Exploit,Mailing List,Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1915823 Issue Tracking,Patch,Third Party Advisory
https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c Patch,Third Party Advisory
https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg05461.html Exploit,Mailing List,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210312-0002/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/01/22/1 Exploit,Mailing List,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35517, you might also want to check these: