CVE-2023-0664
📋 TL;DR
This vulnerability allows a local unprivileged user on Windows systems running QEMU Guest Agent to manipulate the installer's repair custom actions, leading to privilege escalation. Attackers can gain SYSTEM-level privileges by exploiting this flaw. Only Windows installations of QEMU Guest Agent are affected.
💻 Affected Systems
- QEMU Guest Agent for Windows
📦 What is this software?
Fedora by Fedoraproject
Qemu by Qemu
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local user escalates to administrative privileges, allowing installation of malware, configuration changes, and access to sensitive data.
If Mitigated
With proper access controls and monitoring, exploitation attempts can be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires local access to the Windows system and knowledge of the installer repair process manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: QEMU 7.2.0 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
Restart Required: Yes
Instructions:
1. Update QEMU Guest Agent to version 7.2.0 or later. 2. Apply patches from your distribution's repository. 3. Restart the QEMU Guest Agent service. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local user access to Windows systems running QEMU Guest Agent to trusted users only.
Disable Unnecessary Services
windowsDisable QEMU Guest Agent service if not required for functionality.
sc stop qemu-ga
sc config qemu-ga start= disabled
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to affected systems
- Monitor for suspicious installer repair activities and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check QEMU Guest Agent version on Windows systems. Versions prior to 7.2.0 are vulnerable.Check Version:
qemu-ga --versionVerify Fix Applied:
Verify QEMU Guest Agent version is 7.2.0 or later and check that the service is running properly.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing installer repair activities for QEMU Guest Agent
- Unexpected privilege escalation events
- Suspicious process creation with SYSTEM privileges
Network Indicators:
- Unusual outbound connections from QEMU Guest Agent service
SIEM Query:
EventID=4688 AND ProcessName LIKE '%qemu-ga%' AND NewProcessName LIKE '%cmd%' OR EventID=4688 AND ProcessName LIKE '%msiexec%' AND CommandLine LIKE '%qemu%'🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2167423
- https://gitlab.com/qemu-project/qemu/-/commit/07ce178a2b0768eb9e712bb5ad0cf6dc7fcf0158
- https://gitlab.com/qemu-project/qemu/-/commit/88288c2a51faa7c795f053fc8b31b1c16ff804c5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MURWGXDIF2WTDXV36T6HFJDBL632AO7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SEOC7SRJWLZSXCND2ADFW6C76ZMTZLE4/
- https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg01445.html
- https://security.netapp.com/advisory/ntap-20230517-0005/
- https://bugzilla.redhat.com/show_bug.cgi?id=2167423
- https://gitlab.com/qemu-project/qemu/-/commit/07ce178a2b0768eb9e712bb5ad0cf6dc7fcf0158
- https://gitlab.com/qemu-project/qemu/-/commit/88288c2a51faa7c795f053fc8b31b1c16ff804c5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MURWGXDIF2WTDXV36T6HFJDBL632AO7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SEOC7SRJWLZSXCND2ADFW6C76ZMTZLE4/
- https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg01445.html
- https://security.netapp.com/advisory/ntap-20230517-0005/
