CVE-2023-2861: 
NixOS vulnerability analysis and mitigation

A flaw was discovered in the 9p passthrough filesystem (9pfs) implementation in QEMU prior to version 8.1.0. The vulnerability, identified as CVE-2023-2861, was disclosed in December 2023. The 9pfs server failed to properly prohibit opening special files on the host side, which could potentially allow unauthorized access to sensitive system resources (NVD).

The vulnerability stems from improper access control in the 9p passthrough filesystem implementation. The 9p protocol does not specifically define how the server should handle attempts to open special files, but from a security perspective, the server should prohibit opening any special files on the host side. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD, NetApp Advisory).

Successful exploitation of this vulnerability could allow a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder. This could lead to disclosure of sensitive information or addition/modification of data on the host system (NetApp Advisory).

The vulnerability has been fixed in QEMU version 8.1.0. Users are advised to upgrade to this version or later to address the security issue. For Debian 10 buster, these problems have been fixed in version 1:3.1+dfsg-8+deb10u12 (Debian Advisory).