Bugzilla – Bug 1208531
VUL-0: CVE-2023-0664: vmdp: local privilege escalation via the QEMU Guest Agent on Windows
Last modified: 2024-05-06 08:12:29 UTC
CVE-2023-0664 A privilege escalation vulnerability was found in the QEMU Guest Agent service for Windows. A local unprivileged user is able to manipulate the QEMU Guest Agent's Windows installer (via repair custom actions) to elevate their privileges to the SYSTEM account within the guest. Note: this is not a VM escape flaw, meaning that it does *not* allow a malicious user to break out of the guest. It affects Windows VMs using virtio-win drivers with QEMU Guest Agent installed in the guest. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0664 https://bugzilla.redhat.com/show_bug.cgi?id=2167423
affects the Virtual Machine Driver Pack [0]. [0] https://documentation.suse.com/sle-vmdp/2.5/html/vmdp/index.html
The qemu-ga with the patches applied is now available in the released and community versions of vmdp 2.5.4.2. Reassigning back to the security team.
done, closing