Published: 11/02/2020 Updated: 13/02/2020

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 890

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

An issue exists in Microvirt MEmu all versions before 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters.

Vulnerable Product	Search on Vulmon	Subscribe to Product
microvirt memu

Remote code execution in Microvirt MEmu

CVEID: CVE-2019-14514 Name of the affected product(s) and version(s): Microvirt MEmu (all versions prior to 702) Problem type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Summary MEmu is an Android emulator for Windows During our tests, we have found an open TCP port which could be exploited to gain code execu

CWE-78 https://github.com/seqred-s-a/cve-2019-14514 https://nvd.nist.gov https://github.com/seqred-s-a/cve-2019-14514

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-14514

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect