A vulnerability classified as problematic was found in QEMU 5.0 (Virtualization Software). Affected by this vulnerability is an unknown code of the component virtiofsd. The manipulation as part of a File Descriptor leads to a resource consumption vulnerability. The CWE definition for the vulnerability is CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. As an impact it is known to affect availability. The summary by CVE is:

A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host.

The weakness was released 05/04/2020 as not defined bug report (Bugzilla). It is possible to read the advisory at bugzilla.redhat.com. This vulnerability is known as CVE-2020-10717 since 03/20/2020. Attacking locally is a requirement. A single authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 05/05/2020).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• Virtualization Software

Name

• QEMU

Version

• 5.0

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion