Vulnerability Details CVE-2019-14514
An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.104
EPSS Ranking 92.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
References
Products affected by CVE-2019-14514
-
cpe:2.3:a:microvirt:memu:2.3
-
cpe:2.3:a:microvirt:memu:2.3.1
-
cpe:2.3:a:microvirt:memu:2.5.0
-
cpe:2.3:a:microvirt:memu:2.6.1
-
cpe:2.3:a:microvirt:memu:2.6.2
-
cpe:2.3:a:microvirt:memu:2.6.5
-
cpe:2.3:a:microvirt:memu:2.6.6
-
cpe:2.3:a:microvirt:memu:2.7.0
-
cpe:2.3:a:microvirt:memu:2.7.2
-
cpe:2.3:a:microvirt:memu:2.8.0
-
cpe:2.3:a:microvirt:memu:2.8.2
-
cpe:2.3:a:microvirt:memu:2.8.3
-
cpe:2.3:a:microvirt:memu:2.8.5
-
cpe:2.3:a:microvirt:memu:2.8.6
-
cpe:2.3:a:microvirt:memu:2.9.1
-
cpe:2.3:a:microvirt:memu:2.9.2
-
cpe:2.3:a:microvirt:memu:2.9.3
-
cpe:2.3:a:microvirt:memu:2.9.6
-
cpe:2.3:a:microvirt:memu:3.0
-
cpe:2.3:a:microvirt:memu:3.0.7
-
cpe:2.3:a:microvirt:memu:3.0.8
-
cpe:2.3:a:microvirt:memu:3.1.2
-
cpe:2.3:a:microvirt:memu:3.3.0
-
cpe:2.3:a:microvirt:memu:3.5.0
-
cpe:2.3:a:microvirt:memu:3.6.2
-
cpe:2.3:a:microvirt:memu:3.6.7
-
cpe:2.3:a:microvirt:memu:3.6.8
-
cpe:2.3:a:microvirt:memu:3.6.9
-
cpe:2.3:a:microvirt:memu:3.7.0
-
cpe:2.3:a:microvirt:memu:5.0
-
cpe:2.3:a:microvirt:memu:5.0.1
-
cpe:2.3:a:microvirt:memu:5.0.3
-
cpe:2.3:a:microvirt:memu:5.0.5
-
cpe:2.3:a:microvirt:memu:5.1.0
-
cpe:2.3:a:microvirt:memu:5.1.1
-
cpe:2.3:a:microvirt:memu:5.2.1
-
cpe:2.3:a:microvirt:memu:5.2.2
-
cpe:2.3:a:microvirt:memu:5.2.3
-
cpe:2.3:a:microvirt:memu:5.2.5
-
cpe:2.3:a:microvirt:memu:5.3.1
-
cpe:2.3:a:microvirt:memu:5.3.2
-
cpe:2.3:a:microvirt:memu:5.5.1
-
cpe:2.3:a:microvirt:memu:5.5.2
-
cpe:2.3:a:microvirt:memu:5.5.5
-
cpe:2.3:a:microvirt:memu:5.5.7
-
cpe:2.3:a:microvirt:memu:5.5.8
-
cpe:2.3:a:microvirt:memu:5.6.2
-
cpe:2.3:a:microvirt:memu:6.0.1
-
cpe:2.3:a:microvirt:memu:6.0.5
-
cpe:2.3:a:microvirt:memu:6.0.6
-
cpe:2.3:a:microvirt:memu:6.0.7
-
cpe:2.3:a:microvirt:memu:6.0.8
-
cpe:2.3:a:microvirt:memu:6.1.0
-
cpe:2.3:a:microvirt:memu:6.2.1
-
cpe:2.3:a:microvirt:memu:6.2.3
-
cpe:2.3:a:microvirt:memu:6.2.5
-
cpe:2.3:a:microvirt:memu:6.2.7
-
cpe:2.3:a:microvirt:memu:6.3.2
-
cpe:2.3:a:microvirt:memu:6.3.7
-
cpe:2.3:a:microvirt:memu:6.5.1
-
cpe:2.3:a:microvirt:memu:7.0.1