Palo Alto Networks Discovers New QEMU Vulnerability

Ryan Salsamendi


Category: Unit 42

Palo Alto Networks Unit 42 recently discovered CVE-2017-12809, which is a vulnerability affecting QEMU beginning with version 2.8. We reported this vulnerability and it has been fixed in QEMU version 2.10.0 released on August 30, 2017. The latest version can be obtained from QEMU here.

The vulnerability results from a flaw in the way QEMU’s emulated hard drive controller handles the ATA_CACHE_FLUSH command. The QEMU host process will dereference a NULL pointer if ATA_CACHE_FLUSH is issued to a removable drive with no disk present (the default configuration).  This causes the host OS to terminate QEMU. In Windows, this can be triggered from user mode by an unprivileged process by opening a handle to the emulated CDROM drive using the CreateFile() API, followed by DeviceIoControl() with IOCTL_ATA_PASS_THROUGH. Using this technique on a real physical machine will have no effect.

We found the vulnerability by hooking LLVM’s libFuzzer up to QEMU’s emulated memory and IO ports. Our custom hypervisor undergoes continuous fuzzing with this and other fuzzers to ensure the highest security for our customers.

Many security products use QEMU to sandbox files in the process of determining if they are malicious. By triggering this vulnerability before malicious behavior, an attacker can force security products to classify malicious files as benign.

Palo Alto Networks products are not affected by this vulnerability. The WildFire service detonates malware in a custom hypervisor that does not share any code with QEMU.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS