On 9/26/19 7:58 AM, Thomas Huth wrote: > On 25/09/2019 22.51, Philippe Mathieu-Daudé wrote: > [...] >> Let's say I have write access to a LAN TFTP server used by some PXE >> bootloader where I can store my crafted nasty kernel, then I get this score: >> >> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1 >> >> CVSS Base Score: 9.6 >> CVSS Temporal Score: 8.6 >> >> Which seems quite high. > > I don't think you can trigger this bug this way. If you load your kernel > via a PXE server, the ELF parsing will be done by the bootloader, won't > it? I think you can only trigger this bug here if you load your kernel > via the "-kernel" command line parameter of QEMU (or the generic-loader > device), so it's not a real guest escape, as far as I can see.
Ah indeed you are correct. You have to use the -kernel option to set kernel_filename. This reduce the scores: CVSS Base Score: 8.4 CVSS Temporal Score: 7.6 Exploitability Subscore: 1.7 You could load a kernel stored on a NFS server, but it is unlikely a production case :)