CVE-2024-6505 – A heap overflow vulnerability in QEMU's virtio-... (How to Fix)

Q: What is the severity of CVE-2024-6505?

CVE-2024-6505 has a CVSS score of 6.8 (MEDIUM). A heap overflow vulnerability in QEMU's virtio-net device allows privileged guest users to crash the host QEMU process by manipulating RSS indirections_table values. This affects virtualization environments using QEMU with virtio-net and RSS enabled. The vulnerability requires guest OS privileges but can cause host-level denial of service.

📋 TL;DR

A heap overflow vulnerability in QEMU's virtio-net device allows privileged guest users to crash the host QEMU process by manipulating RSS indirections_table values. This affects virtualization environments using QEMU with virtio-net and RSS enabled. The vulnerability requires guest OS privileges but can cause host-level denial of service.

💻 Affected Systems

Products:

QEMU
Red Hat Enterprise Linux
Fedora
CentOS Stream
Oracle Linux
SUSE Linux Enterprise Server
Ubuntu
Debian

Versions: QEMU versions before 9.0.0

Operating Systems: Linux, Windows (as guest OS), BSD (as guest OS)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when virtio-net device is used with RSS (Receive Side Scaling) feature enabled. Not all QEMU configurations use virtio-net with RSS.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged guest user causes QEMU process crash on host, disrupting all VMs on that host and potentially leading to data corruption or availability issues.

🟠

Likely Case

Privileged guest user causes targeted QEMU process crash, affecting only that specific VM and potentially other VMs on the same host.

🟢

If Mitigated

With proper isolation and monitoring, impact is limited to single VM availability with quick recovery options.

🌐 Internet-Facing: LOW - Requires guest OS access and specific virtio-net configuration.

🏢 Internal Only: MEDIUM - Internal virtualization infrastructure could be targeted by compromised guest VMs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires privileged access within guest VM and knowledge of RSS configuration. No public exploit code available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QEMU 9.0.0 and later

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-6505

Restart Required: Yes

Instructions:

1. Update QEMU to version 9.0.0 or later. 2. For Red Hat systems: 'yum update qemu-kvm'. 3. Restart affected VMs or QEMU processes. 4. Verify patch installation with version check.

🔧 Temporary Workarounds

Disable RSS on virtio-net

linux

Disable Receive Side Scaling feature on virtio-net devices to prevent exploitation

qemu-system-x86_64 -device virtio-net-pci,rss=off

Use alternative network devices

linux

Replace virtio-net with e1000 or other network devices not affected by this vulnerability

qemu-system-x86_64 -device e1000

🧯 If You Can't Patch

Isolate vulnerable VMs from critical infrastructure
Implement strict access controls to prevent guest privilege escalation

🔍 How to Verify

Check if Vulnerable:

Check QEMU version and virtio-net configuration: 'qemu-system-x86_64 --version' and examine VM configuration for virtio-net with RSS enabled.

Check Version:

qemu-system-x86_64 --version

Verify Fix Applied:

Verify QEMU version is 9.0.0 or later: 'qemu-system-x86_64 --version | grep -E "9\.[0-9]+\.[0-9]+"'. Check that virtio-net devices no longer accept malformed RSS values.

📡 Detection & Monitoring

Log Indicators:

QEMU process crashes with segmentation faults
Kernel logs showing QEMU memory access violations
Guest VM sudden disconnections

Network Indicators:

Unexpected virtio-net RSS configuration changes from guest

SIEM Query:

source="qemu.log" AND ("segmentation fault" OR "heap overflow" OR "out of bounds")

📊 Metadata

CVE ID: CVE-2024-6505

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-125

Published: July 5, 2024

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/security/cve/CVE-2024-6505 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2295760 Issue Tracking
https://access.redhat.com/security/cve/CVE-2024-6505 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2295760 Issue Tracking
https://security.netapp.com/advisory/ntap-20240816-0006/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6505, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Qemu by Qemu

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RSS on virtio-net

Use alternative network devices

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities