CVE-2023-1386 Qemu: 9pfs: suid/sgid bits not dropped on file write

2023-07-2415:19:25

CWE-281

redhat

github.com

qemu

9pfs

flaw

privilege escalation

file write

suid

sgid

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.4

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.