Hacker News new | past | comments | ask | show | jobs | submit login

QEMU developer here. Some context on the impact and the security architecture of QEMU:

1. Production VMs almost exclusively use tap networking, not slirp. This CVE mostly affects users running QEMU manually for development and test VMs.

2. Slirp (https://gitlab.freedesktop.org/slirp/libslirp) is part of the QEMU userspace process, which runs unprivileged and confined by SELinux when launched via libvirt. To be clear: this is not a host ring-0 exploit!

3. Getting root on the host or accessing other VMs requires further exploits to elevate privileges of the QEMU process and escape SELinux confinement.

More info on QEMU's security architecture: https://qemu.weilnetz.de/doc/qemu-doc.html#Security

For a more detailed overview of how QEMU is designed to mitigate exploits like this, see my talk from KVM Forum 2018: https://www.youtube.com/watch?v=YAdRf_hwxU8 https://vmsplice.net/~stefan/stefanha-kvm-forum-2018.pdf

> confined by SELinux

Only on platforms that use SELinux though.

For Ubuntu users there is AppArmor support in libvirt too: https://wiki.ubuntu.com/LibvirtApparmor

QEMU runs on other operating systems like *BSD, macOS, and Windows. It is less mature on those platforms and it's safer to avoid running untrusted VMs on those platforms.

And AFAIK seccomp everywhere else. libvirt enables Qemu's seccomp too, and slirp runs in-process

and libvirt

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact