V-gHost : QEMU-KVM VM Escape in vhost/vhost-net

V-gHost is a QEMU-KVM VM escape vulnerability that exists in vhost/vhost-net host linux kernel module. V-gHost is a Linux kernel buffer overflow bug in host kernel module, attackers can trigger this bug from VM with priviledge account of the VM during the VM migration. vhost/vhost-net is a virtio network backend module which is implemented as a Linux kernel module. This vulnerability was discovered by Tencent Blade Team.



Q & A


(1) Am I affected by the vulnerability?

If you are using vhost/vhost_net as your virtio network backend and doesn’t apply the patch, then you could be vulnerable to the V-gHost. Affected linux kernel versions from 2.6.34 to 5.2.x
Other linux distros:
RedHat: https://access.redhat.com/security/cve/cve-2019-14835
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14835.html
SUSE: https://www.suse.com/security/cve/CVE-2019-14835/
Debian: https://security-tracker.debian.org/tracker/CVE-2019-14835


(2) What is the impact of this vulnerability?

May escape from VM and run arbitrary code in the host or at least crash host kernel from VM.


(3) What is the CVE ID of this vulnerability?

CVE-2019-14835


(4) Has “V-gHost” been abused in the wild?

We have not found this vulnerability to have a public exploit.


(5) Is there a workaround/fix?

Yes.
Option #1 update to fixed stable kernel 5.3 or later, or apply Linux kernel upstream patch:https://github.com/torvalds/linux/commit/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git/commit/?h=for_linus&id=060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
Option #2 Disabling guest live migration
Option #3 Disabling vhost-net

Reference RedHat’s migation: https://access.redhat.com/security/cve/cve-2019-14835

Security Advisory:
RedHat: https://access.redhat.com/errata/RHSA-2019:2827
https://access.redhat.com/security/vulnerabilities/kernel-vhost
Ubuntu: https://usn.ubuntu.com/4135-2/
Debian: https://www.debian.org/security/2019/dsa-4531


(6) Are there plans to disclose details of the vulnerability?

Yes, we have published details of the vulnerability here: https://www.openwall.com/lists/oss-security/2019/09/17/1
And a simple PoC here: https://www.openwall.com/lists/oss-security/2019/09/24/1




Timeline


- 10th Sep 2019 Submitted vulnerability report and patch to Linux kernel mainline and distribution vendors.

- 10th Sep 2019 vulnerability and patch confirmed by Linux kernel mainline and distribution vendors.

- 10th Sep 2019 CVE ID has been assigned as CVE-2019-14835.

- 15th Sep 2019 Linux kernel mainline fixed this vulnerability.

- 17th Sep 2019 Published details of the vulnerability

- 24th Sep 2019 Published a simple PoC of the vulnerability