CVE-2024-6505 Overview
A flaw was found in the virtio-net device in QEMU. When enabling the RSS (Receive Side Scaling) feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host, leading to a denial of service condition.
Critical Impact
A privileged guest user can crash the QEMU process on the host system, causing denial of service to all virtual machines managed by that QEMU instance.
Affected Products
- QEMU (all versions with virtio-net RSS feature)
- Red Hat Enterprise Linux 8.0
- Red Hat Enterprise Linux 9.0
Discovery Timeline
- 2024-07-05 - CVE-2024-6505 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6505
Vulnerability Analysis
This vulnerability is classified as an Out-of-Bounds Read (CWE-125) affecting the virtio-net network device implementation in QEMU. The flaw resides in how QEMU handles the RSS (Receive Side Scaling) feature, which is designed to distribute network traffic processing across multiple CPU cores for improved performance.
The core issue stems from insufficient validation of the indirections_table data structure within the RSS implementation. When a guest system with privileged access manipulates the RSS configuration, it can supply excessively large index values that exceed the bounds of allocated memory regions. This results in heap overflow access, where the QEMU process attempts to read or write memory beyond the intended boundaries.
The vulnerability requires network access and high privileges within the guest environment. Notably, the scope is changed (S:C in CVSS vector), meaning a successful exploit in the guest environment impacts the host system's confidentiality, integrity, or availability. In this case, the primary impact is availability—crashing the QEMU hypervisor process.
Root Cause
The root cause is improper bounds checking on the indirections_table indices within the virtio-net RSS feature implementation. When RSS is enabled, the guest can control certain configuration parameters that should be strictly validated before use. The absence of adequate validation allows index values that exceed the allocated table size, leading to out-of-bounds memory access.
Attack Vector
The attack requires a privileged user within a guest virtual machine to manipulate the virtio-net device's RSS configuration. The attacker must:
- Have privileged access within the guest operating system
- Enable the RSS feature on the virtio-net network interface
- Craft malicious indirections_table values with out-of-bounds indices
- Trigger the RSS code path to process the malformed data
When the QEMU process on the host attempts to use these malicious indices, it accesses memory outside the allocated heap region, causing the process to crash. This results in denial of service for the host's virtualization capabilities.
The vulnerability mechanism involves the guest-controlled RSS indirection table being used without proper bounds validation. When excessively large index values are processed, QEMU performs heap memory access beyond allocated boundaries. For detailed technical analysis, see the Red Hat Bug Report #2295760.
Detection Methods for CVE-2024-6505
Indicators of Compromise
- Unexpected QEMU process crashes or terminations on host systems
- Core dumps from QEMU processes indicating heap corruption or segmentation faults
- Guest VMs with RSS-enabled virtio-net interfaces experiencing connectivity issues followed by host QEMU crashes
- System logs showing QEMU process termination with memory access violation signals
Detection Strategies
- Monitor for QEMU process crashes using process monitoring tools and systemd journal logs
- Implement guest VM configuration auditing to identify systems with RSS-enabled virtio-net devices
- Deploy host-based intrusion detection to flag unusual memory access patterns in QEMU processes
- Review QEMU command-line configurations for virtio-net devices with RSS features enabled
Monitoring Recommendations
- Enable core dump collection for QEMU processes to facilitate forensic analysis
- Configure alerting for unexpected QEMU process terminations across virtualization infrastructure
- Monitor guest VM network interface configurations for RSS feature enablement
- Implement log aggregation for QEMU-related events across all hypervisor hosts
How to Mitigate CVE-2024-6505
Immediate Actions Required
- Review all QEMU deployments for virtio-net devices with RSS feature enabled
- Disable RSS on virtio-net devices where the feature is not strictly required
- Restrict privileged access within guest virtual machines to trusted administrators only
- Apply vendor-provided patches when available from your Linux distribution
Patch Information
Patches are being tracked by major vendors. Consult the following resources for the latest patch information:
- Red Hat CVE-2024-6505 Advisory
- Red Hat Bug Report #2295760
- NetApp Security Advisory NTAP-20240816-0006
Check with your Linux distribution vendor for specific patch availability and update instructions.
Workarounds
- Disable the RSS feature on virtio-net devices by removing RSS-related configuration options from QEMU command lines or libvirt domain XML
- Use alternative network device models (such as e1000 or rtl8139) that do not include the vulnerable RSS functionality
- Implement network segmentation to limit potential attack vectors from compromised guest VMs
- Restrict guest VM administrative access to minimize the risk of exploitation by malicious insiders
# Disable RSS on virtio-net device in libvirt domain configuration
# Edit the domain XML and ensure virtio-net interfaces do not have RSS enabled
# Example: Remove or comment out RSS-related driver options
virsh edit <vm-name>
# Look for <interface type='network'> sections and remove RSS configuration
# Restart the VM after making changes
virsh shutdown <vm-name>
virsh start <vm-name>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
