Vulnerabilities > CVE-2008-5086 - Local Security Bypass vulnerability in libvirt
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple methods in libvirt 0.3.2 through 0.5.1 do not check if a connection is read-only, which allows local users to bypass intended access restrictions and perform administrative actions.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-694-1.NASL description It was discovered that libvirt did not mark certain operations as read-only. A local attacker may be able to perform privileged actions such as migrating virtual machines, adjusting autostart flags, or accessing privileged data in the virtual machine memory and disks. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37984 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37984 title Ubuntu 7.10 / 8.04 LTS / 8.10 : libvirt vulnerability (USN-694-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-694-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(37984); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2008-5086"); script_xref(name:"USN", value:"694-1"); script_name(english:"Ubuntu 7.10 / 8.04 LTS / 8.10 : libvirt vulnerability (USN-694-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that libvirt did not mark certain operations as read-only. A local attacker may be able to perform privileged actions such as migrating virtual machines, adjusting autostart flags, or accessing privileged data in the virtual machine memory and disks. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/694-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt0-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-libvirt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(7\.10|8\.04|8\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 7.10 / 8.04 / 8.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"7.10", pkgname:"libvirt-bin", pkgver:"0.3.0-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"libvirt-dev", pkgver:"0.3.0-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"libvirt0", pkgver:"0.3.0-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"python-libvirt", pkgver:"0.3.0-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libvirt-bin", pkgver:"0.4.0-2ubuntu8.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libvirt-dev", pkgver:"0.4.0-2ubuntu8.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libvirt-doc", pkgver:"0.4.0-2ubuntu8.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libvirt0", pkgver:"0.4.0-2ubuntu8.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libvirt0-dbg", pkgver:"0.4.0-2ubuntu8.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"python-libvirt", pkgver:"0.4.0-2ubuntu8.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libvirt-bin", pkgver:"0.4.4-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libvirt-dev", pkgver:"0.4.4-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libvirt-doc", pkgver:"0.4.4-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libvirt0", pkgver:"0.4.4-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libvirt0-dbg", pkgver:"0.4.4-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"python-libvirt", pkgver:"0.4.4-3ubuntu3.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt-bin / libvirt-dev / libvirt-doc / libvirt0 / libvirt0-dbg / etc"); }NASL family Scientific Linux Local Security Checks NASL id SL_20090319_LIBVIRT_ON_SL5_X.NASL description The libvirtd daemon was discovered to not properly check user connection permissions before performing certain privileged actions, such as requesting migration of an unprivileged guest domain to another system. A local user able to establish a read-only connection to libvirtd could use this flaw to perform actions that should be restricted to read-write connections. (CVE-2008-5086) libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036) After installing the update, libvirtd must be restarted manually (for example, by issuing a last seen 2020-06-01 modified 2020-06-02 plugin id 60551 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60551 title Scientific Linux Security Update : libvirt on SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_LIBVIRT-5869.NASL description libvirt misses some read-only connection checks for certain methods. This flaw enables local unprivileged users for example to migrate virtual machines without authentication. (CVE-2008-5086) last seen 2020-06-01 modified 2020-06-02 plugin id 41554 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41554 title SuSE 10 Security Update : libvirt (ZYPP Patch Number 5869) NASL family Fedora Local Security Checks NASL id FEDORA_2008-11433.NASL description fix missing read-only access checks, fixes CVE-2008-5086 - upstream release 0.5.1 - mostly bugfixes e.g #473071 - some driver improvements Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35228 published 2008-12-21 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35228 title Fedora 9 : libvirt-0.5.1-2.fc9 (2008-11433) NASL family Fedora Local Security Checks NASL id FEDORA_2008-11443.NASL description fix missing read-only access checks, fixes CVE-2008-5086 - upstream release 0.5.1 - mostly bugfixes e.g #473071 - some driver improvements Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36460 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36460 title Fedora 10 : libvirt-0.5.1-2.fc10 (2008-11443) NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBVIRT-081218.NASL description libvirt misses some read-only connection checks for certain methods. This flaw enables local unprivileged users for example to migrate virtual machines without authentication (CVE-2008-5086). last seen 2020-06-01 modified 2020-06-02 plugin id 40272 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40272 title openSUSE Security Update : libvirt (libvirt-373) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0382.NASL description From Red Hat Security Advisory 2009:0382 : Updated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 5th May 2011] After installing this update and restarting the libvirtd service, the last seen 2020-06-01 modified 2020-06-02 plugin id 67832 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67832 title Oracle Linux 5 : libvirt (ELSA-2009-0382) NASL family SuSE Local Security Checks NASL id SUSE_LIBVIRT-5874.NASL description libvirt misses some read-only connection checks for certain methods. This flaw enables local unprivileged users for example to migrate virtual machines without authentication (CVE-2008-5086). last seen 2020-06-01 modified 2020-06-02 plugin id 35607 published 2009-02-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35607 title openSUSE 10 Security Update : libvirt (libvirt-5874) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBVIRT-081218.NASL description libvirt misses some read-only connection checks for certain methods. This flaw enables local unprivileged users for example to migrate virtual machines without authentication (CVE-2008-5086). last seen 2020-06-01 modified 2020-06-02 plugin id 40051 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40051 title openSUSE Security Update : libvirt (libvirt-373) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0382.NASL description Updated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 5th May 2011] After installing this update and restarting the libvirtd service, the last seen 2020-06-01 modified 2020-06-02 plugin id 63878 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63878 title RHEL 5 : libvirt (RHSA-2009:0382)
Oval
| accepted | 2013-04-29T04:17:52.700-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Multiple methods in libvirt 0.3.2 through 0.5.1 do not check if a connection is read-only, which allows local users to bypass intended access restrictions and perform administrative actions. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:8765 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Multiple methods in libvirt 0.3.2 through 0.5.1 do not check if a connection is read-only, which allows local users to bypass intended access restrictions and perform administrative actions. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://osvdb.org/50919
- http://secunia.com/advisories/33198
- http://secunia.com/advisories/33217
- http://secunia.com/advisories/33292
- http://secunia.com/advisories/34397
- http://www.redhat.com/archives/fedora-package-announce/2008-December/msg00938.html
- http://www.redhat.com/support/errata/RHSA-2009-0382.html
- http://www.securityfocus.com/bid/32905
- http://www.ubuntu.com/usn/usn-694-1
- https://bugzilla.redhat.com/show_bug.cgi?id=476560
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8765
- https://www.redhat.com/archives/libvir-list/2008-December/msg00522.html