CVE-2021-3713
📋 TL;DR
This vulnerability allows a malicious guest user in QEMU virtual machines to perform out-of-bounds writes in the UAS device emulation, potentially leading to QEMU process crashes or arbitrary code execution on the host system. It affects QEMU versions prior to 6.2.0-rc0 when UAS device emulation is enabled. Organizations using QEMU for virtualization with USB Attached SCSI device support are at risk.
💻 Affected Systems
- QEMU
📦 What is this software?
Qemu by Qemu
⚠️ Risk & Real-World Impact
Worst Case
Privileged code execution on the host system, potentially leading to full host compromise and lateral movement to other virtual machines or systems.
Likely Case
QEMU process crash causing denial of service for affected virtual machines, requiring host intervention to restart VMs.
If Mitigated
Limited impact with proper network segmentation and minimal privileges for QEMU processes, potentially only affecting isolated virtual machines.
🎯 Exploit Status
Exploitation requires guest VM access and knowledge of the vulnerability. The guest must have ability to interact with UAS device emulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.0-rc0 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1994640
Restart Required: Yes
Instructions:
1. Update QEMU to version 6.2.0-rc0 or later. 2. Restart all QEMU processes and affected virtual machines. 3. Verify the update was successful by checking QEMU version.
🔧 Temporary Workarounds
Disable UAS device emulation
allRemove or disable USB Attached SCSI device support in QEMU configuration
Edit QEMU configuration to remove '-device usb-storage' or similar UAS-related options
Restrict guest VM privileges
linuxRun QEMU with reduced privileges and implement strict access controls
Run QEMU as non-root user, implement SELinux/AppArmor policies
🧯 If You Can't Patch
- Disable UAS device emulation in all QEMU configurations
- Implement network segmentation to isolate vulnerable VMs from critical systems
🔍 How to Verify
Check if Vulnerable:
Check QEMU version with 'qemu-system-x86_64 --version' or equivalent for your architecture. If version is earlier than 6.2.0-rc0 and UAS device emulation is enabled, the system is vulnerable.Check Version:
qemu-system-x86_64 --version | head -1Verify Fix Applied:
Verify QEMU version is 6.2.0-rc0 or later and check that UAS device emulation is properly configured if needed.📡 Detection & Monitoring
Log Indicators:
- QEMU process crashes with segmentation faults
- Unexpected QEMU termination logs
- Guest VM access attempts to UAS device interfaces
Network Indicators:
- Unusual USB device emulation traffic from guest VMs
SIEM Query:
source="qemu.log" AND ("segmentation fault" OR "crash" OR "uas")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1994640
- https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html
- https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html
- https://security.gentoo.org/glsa/202208-27
- https://security.netapp.com/advisory/ntap-20210923-0006/
- https://www.debian.org/security/2021/dsa-4980
- https://bugzilla.redhat.com/show_bug.cgi?id=1994640
- https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html
- https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html
- https://security.gentoo.org/glsa/202208-27
- https://security.netapp.com/advisory/ntap-20210923-0006/
- https://www.debian.org/security/2021/dsa-4980
