Executive Summary
Summary | |
---|---|
Title | libvirt vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1008-1 | First vendor Publication | 2010-10-21 |
Vendor | Ubuntu | Last vendor Modification | 2010-10-21 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:S/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.4 | Attack Range | Local |
Cvss Impact Score | 6.9 | Attack Complexity | Medium |
Cvss Expoit Score | 2.7 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: Ubuntu 9.04: Ubuntu 9.10: Ubuntu 10.04 LTS: After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: The previous version of libvirt on Ubuntu 10.04 LTS would probe a qemu disk to determine its format and did not require that the format be declared in the XML. This is considered a security problem in most deployments and this version of libvirt will default to the 'raw' format when the format is not specified in the XML. As a result, non-raw disks without a specified disk format will no longer be available in existing virtual machines. The libvirt-migrate-qemu-disks tool is provided to aid in transitioning virtual machine definitions to the new required format. In essence, it will check all domains for affected virtual machines, probe the affected disks and update the domain definition accordingly. This command will be run automatically on upgrade. For new virtual machines using non-raw images, the disk format must be specified in the domain XML provided to libvirt, otherwise the disk will not be available to the virtual machine. See man 1 libvirt-migrate-qemu-disks for details. Users who require the old behavior can adjust the 'allow_disk_format_probing' option in /etc/libvirt/qemu.conf. Details follow: It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2010-2237, CVE-2010-2238) It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2010-2239) Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host. (CVE-2010-2242) |
Original Source
Url : http://www.ubuntu.com/usn/USN-1008-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12561 | |||
Oval ID: | oval:org.mitre.oval:def:12561 | ||
Title: | USN-1008-2 -- virtinst update | ||
Description: | Libvirt in Ubuntu 10.04 LTS now no longer probes qemu disks for the image format and defaults to "raw" when the format is not specified in the XML. This change in behavior breaks virt-install --import because virtinst in Ubuntu 10.04 LTS did not allow for specifying a disk format and does not specify a format in the XML. This update adds the "format=" option when specifying a disk. For example, to import an existing VM which uses a qcow2 disk format, use somthing like the following: virt-install --connect=qemu:///session --name test-import --ram=256 \ --disk path=<path to qcow2 image>,format=qcow2 --import For more information, see man 1 virt-install. Original advisory details: It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1008-2 CVE-2010-2237 CVE-2010-2238 CVE-2010-2239 CVE-2010-2242 | Version: | 5 |
Platform(s): | Ubuntu 10.04 | Product(s): | virtinst |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:13033 | |||
Oval ID: | oval:org.mitre.oval:def:13033 | ||
Title: | USN-1008-3 -- libvirt update | ||
Description: | USN-1008-1 fixed vulnerabilities in libvirt. The update for Ubuntu 10.04 LTS reverted a recent bug fix update. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1008-3 CVE-2010-2237 CVE-2010-2238 CVE-2010-2239 CVE-2010-2242 | Version: | 5 |
Platform(s): | Ubuntu 10.04 | Product(s): | libvirt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13109 | |||
Oval ID: | oval:org.mitre.oval:def:13109 | ||
Title: | USN-1008-1 -- libvirt vulnerabilities | ||
Description: | It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1008-1 CVE-2010-2237 CVE-2010-2238 CVE-2010-2239 CVE-2010-2242 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 10.04 Ubuntu 9.04 Ubuntu 9.10 | Product(s): | libvirt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13143 | |||
Oval ID: | oval:org.mitre.oval:def:13143 | ||
Title: | USN-1008-4 -- libvirt regression | ||
Description: | USN-1008-1 fixed vulnerabilities in libvirt. The upstream fixes for CVE-2010-2238 changed the behavior of libvirt such that the domain XML could not specify "host_device" as the qemu sub-type. While libvirt 0.8.3 and later will longer support specifying this sub-type, this update restores the old behavior on Ubuntu 10.04 LTS. We apologize for the inconvenience. Original advisory details: It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1008-4 CVE-2010-2238 CVE-2010-2237 CVE-2010-2239 CVE-2010-2242 | Version: | 5 |
Platform(s): | Ubuntu 10.04 | Product(s): | libvirt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22120 | |||
Oval ID: | oval:org.mitre.oval:def:22120 | ||
Title: | RHSA-2010:0615: libvirt security and bug fix update (Low) | ||
Description: | Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0615-01 CESA-2010:0615 CVE-2010-2239 CVE-2010-2242 | Version: | 29 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | libvirt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22785 | |||
Oval ID: | oval:org.mitre.oval:def:22785 | ||
Title: | ELSA-2010:0615: libvirt security and bug fix update (Low) | ||
Description: | Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0615-01 CVE-2010-2239 CVE-2010-2242 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | libvirt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:28238 | |||
Oval ID: | oval:org.mitre.oval:def:28238 | ||
Title: | DEPRECATED: ELSA-2010-0615 -- libvirt security and bug fix update (low) | ||
Description: | [0.6.3-33.0.1.el5_5.3] - Replaced docs/et.png in tarball [0.6.3-33.el5_5.3] - Explicitly set qcow2 backing store format (CVE-2010-2239) - Remap privileged source ports from guests behind NAT (CVE-2010-2242) - Eliminate memory leak in xenUnifiedDomainInfoListFree (rhbz 619711) [0.6.3-33.el5_5.2] - Fix discrepancy between xm list and virsh list (rhbz 618200) - Set a stable & high MAC addr for guest TAP devices on host (rhbz 617243) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0615 CVE-2010-2239 CVE-2010-2242 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | libvirt |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for libvirt CESA-2010:0615 centos5 i386 File : nvt/gb_CESA-2010_0615_libvirt_centos5_i386.nasl |
2011-06-20 | Name : Ubuntu Update for libvirt USN-1152-1 File : nvt/gb_ubuntu_USN_1152_1.nasl |
2010-11-16 | Name : Ubuntu Update for libvirt regression USN-1008-4 File : nvt/gb_ubuntu_USN_1008_4.nasl |
2010-10-26 | Name : Ubuntu Update for libvirt update USN-1008-3 File : nvt/gb_ubuntu_USN_1008_3.nasl |
2010-10-22 | Name : Ubuntu Update for libvirt vulnerabilities USN-1008-1 File : nvt/gb_ubuntu_USN_1008_1.nasl |
2010-10-22 | Name : Ubuntu Update for virtinst update USN-1008-2 File : nvt/gb_ubuntu_USN_1008_2.nasl |
2010-07-30 | Name : Fedora Update for libvirt FEDORA-2010-10960 File : nvt/gb_fedora_2010_10960_libvirt_fc13.nasl |
2010-07-30 | Name : Fedora Update for libvirt FEDORA-2010-11021 File : nvt/gb_fedora_2010_11021_libvirt_fc12.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
67300 | libvirt on Red Hat iptables Rules Privileged Source Port Mapping Guest OS Acc... |
67299 | libvirt on Red Hat New Image Creation User-defined Backing-store Format Weakn... |
67298 | libvirt on Red Hat Disk Backing-store Format Disk-image Backing Stores Recurs... |
67297 | libvirt on Red Hat Main Disk Format Disk Backing Store Lookup Guest OS Arbitr... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libvirt-100810.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0615.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0615.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100810_libvirt_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2011-06-17 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1152-1.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libvirt-100819.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libvirt-100723.nasl - Type : ACT_GATHER_INFO |
2010-11-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-4.nasl - Type : ACT_GATHER_INFO |
2010-10-24 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-3.nasl - Type : ACT_GATHER_INFO |
2010-10-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-1.nasl - Type : ACT_GATHER_INFO |
2010-10-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-2.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libvirt-7150.nasl - Type : ACT_GATHER_INFO |
2010-09-17 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libvirt-100730.nasl - Type : ACT_GATHER_INFO |
2010-09-17 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libvirt-100723.nasl - Type : ACT_GATHER_INFO |
2010-08-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0615.nasl - Type : ACT_GATHER_INFO |
2010-07-27 | Name : The remote Fedora host is missing a security update. File : fedora_2010-11021.nasl - Type : ACT_GATHER_INFO |
2010-07-27 | Name : The remote Fedora host is missing a security update. File : fedora_2010-10960.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:58:00 |
|