N/A

A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.

N/A

对于放弃特权的检查不恰当

QEMU 安全漏洞

QEMU（Quick Emulator）是法国法布里斯-贝拉（Fabrice Bellard）个人开发者的一套模拟处理器软件。该软件具有速度快、跨平台等特点。 QEMU存在安全漏洞，该漏洞源于在QEMU virtio-fs共享文件系统守护进程(virtiofsd)实现中发现一个缺陷。攻击者可利用该漏洞触发CVE-2018-13405，以获取敏感信息或可能升级其在系统上的权限。

N/A

N/A