PT-2022-1927 · Qemu+10 · Qemu Virtio-Fs+10

Jietao Xiao

·

Published

2022-01-28

·

Updated

2024-06-15

·

CVE-2022-0358

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions QEMU virtio-fs (virtiofsd) (affected versions not specified)
Description A flaw was found in the QEMU virtio-fs shared file system daemon implementation. This issue is related to incorrect default permissions. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership, potentially allowing a malicious unprivileged user to gain access to resources accessible to the root group and escalate their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-273

Related Identifiers

ALSA-2022:0886
ALT-PU-2022-1369
ALT-PU-2022-1412
ALT-PU-2022-2009
ALT-PU-2022-2062
ALT-PU-2023-1830
ALT-PU-2023-1869
AZL-10763
AZL-35156
BDU:2022-01465
CESA-2022_0886
CVE-2022-0358
DSA-5133-1
OESA-2022-1772
OPENSUSE-SU-2022:0930-1
OPENSUSE-SU-2022_0930-1
OPENSUSE-SU-2024:11907-1
RHSA-2022:0759
RHSA-2022:0886
RHSA-2022:0949
RHSA-2022:0971
RHSA-2022:0973
RHSA-2022_0886
RLSA-2022:0886
SUSE-SU-2022:0930-1
SUSE-SU-2022:0930-2
USN-5307-1
USN-5489-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Qemu Virtio-Fs
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu