CVE-2023-5088: Qemu: improper ide controller reset can lead to mbr overwrite
First published: Tue Oct 31 2023(Updated: )
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/qemu-kvm | <8.2.0 | 8.2.0 |
| QEMU qemu | <8.2.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| ubuntu/qemu | <1:4.2-3ubuntu6.28 | 1:4.2-3ubuntu6.28 |
| ubuntu/qemu | <1:6.2+dfsg-2ubuntu6.16 | 1:6.2+dfsg-2ubuntu6.16 |
| ubuntu/qemu | <1:7.2+dfsg-5ubuntu2.4 | 1:7.2+dfsg-5ubuntu2.4 |
| ubuntu/qemu | <1:8.0.4+dfsg-1ubuntu3.23.10.2 | 1:8.0.4+dfsg-1ubuntu3.23.10.2 |
| ubuntu/qemu | <1:8.1.3+ | 1:8.1.3+ |
| debian/qemu | <=1:3.1+dfsg-8+deb10u8<=1:5.2+dfsg-11+deb11u3<=1:5.2+dfsg-11+deb11u2<=1:7.2+dfsg-7+deb12u5 | 1:3.1+dfsg-8+deb10u12 1:8.2.1+ds-2 1:8.2.3+ds-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T/
- https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2247771
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_virtualization/creating-nested-virtual-machines_configuring-and-managing-virtualization
- https://lore.kernel.org/qemu-devel/20230906130922.142845-1-f.ebner@proxmox.com/T/#u
- https://lore.kernel.org/qemu-devel/ab6655b0-a6cf-4c19-56d2-e1cb0e6ac72b@linaro.org/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/
- https://lore.kernel.org/qemu-devel/20230906130922.142845-1-f.ebner@proxmox
- https://lore.kernel.org/qemu-devel/ab6655b0-a6cf-4c19-56d2
- https://access.redhat.com/solutions/21101
- https://access.redhat.com/support/offerings/techpreview
- https://lore.kernel.org/qemu-devel/20231106110336.358-48-philmd@linaro.org/
- https://lore.kernel.org/qemu-devel/20231106110336.358-49-philmd@linaro.org/
- https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e
- https://gitlab.com/qemu-project/qemu/-/commit/cc610857bbd3551f4b86ae2299336b5d9aa0db2b
- https://bugzilla.redhat.com/show_bug.cgi?id=2247283
- https://access.redhat.com/security/cve/CVE-2023-5088
- https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html
- https://security.netapp.com/advisory/ntap-20231208-0005/
- https://launchpad.net/bugs/cve/CVE-2023-5088
- https://ubuntu.com/security/notices/USN-6567-1
- https://www.cve.org/CVERecord?id=CVE-2023-5088
- https://nvd.nist.gov/vuln/detail/CVE-2023-5088
- https://security-tracker.debian.org/tracker/CVE-2023-5088
- https://ubuntu.com/security/CVE-2023-5088
- https://access.redhat.com/errata/RHSA-2024:2135
Frequently Asked Questions
What is CVE-2023-5088?
CVE-2023-5088 is a vulnerability in QEMU that can result in the overwrite of a VM's boot code due to an improper IDE controller reset.
What is the severity level of CVE-2023-5088?
CVE-2023-5088 has a severity level of medium.
How does CVE-2023-5088 affect QEMU?
CVE-2023-5088 affects QEMU by causing a guest I/O operation to be targeted to offset 0 instead of the intended disk offset, potentially overwriting the VM's boot code.
Is there a fix available for CVE-2023-5088?
Yes, a fix is available for CVE-2023-5088. Please refer to the vendor's security advisory for more information.
What is the Common Weakness Enumeration (CWE) ID for CVE-2023-5088?
The Common Weakness Enumeration (CWE) ID for CVE-2023-5088 is CWE-821.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/title
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-5088
- agent/software-canonical-lookup
- agent/description
- collector/nvd-cve
- source/NVD
- collector/launchpad-cve
- source/Launchpad
- agent/event
- agent/references
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-api
- package-manager/redhat
- vendor/qemu
- canonical/qemu qemu
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/ubuntu
- package-manager/debian