Vulnerabilities > CVE-2011-2178 - Unspecified vulnerability in Redhat Libvirt 0.8.8/0.9.0/0.9.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
redhat
nessus
NVD
Published: 2011-08-10
Updated: 2023-11-07

Summary

The virSecurityManagerGetPrivateData function in security/security_manager.c in libvirt 0.8.8 through 0.9.1 uses the wrong argument for a sizeof call, which causes incorrect processing of "security manager private data" that "reopens disk probing" and might allow guest OS users to read arbitrary files on the host OS. NOTE: this vulnerability exists because of a CVE-2010-2238 regression.

Vulnerable Configurations

Part Description Count
Application
Redhat
3

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-9091.NASL
    descriptionFix for CVE-2011-2178, regression introduced in disk probe logic, Fix for CVE-2011-2511, integer overflow in VirDomainGetVcpus Make commandtest more robust, Add ARM to NUMA excludes Add several build and runtime dependencies to specfile Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id55561
    published2011-07-12
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55561
    titleFedora 15 : libvirt-0.8.8-7.fc15 (2011-9091)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2011-9091.
#

include("compat.inc");

if (description)
{
  script_id(55561);
  script_version("1.9");
  script_cvs_date("Date: 2019/08/02 13:32:35");

  script_cve_id("CVE-2011-2178", "CVE-2011-2511");
  script_bugtraq_id(48321, 48478);
  script_xref(name:"FEDORA", value:"2011-9091");

  script_name(english:"Fedora 15 : libvirt-0.8.8-7.fc15 (2011-9091)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Fix for CVE-2011-2178, regression introduced in disk probe logic,

Fix for CVE-2011-2511, integer overflow in VirDomainGetVcpus

Make commandtest more robust,

Add ARM to NUMA excludes

Add several build and runtime dependencies to specfile

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=680270"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=709775"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=717204"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2011-July/062515.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?a0f11553"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libvirt package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:S/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libvirt");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC15", reference:"libvirt-0.8.8-7.fc15")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt");
}
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_LIBVIRT-110614.NASL
    descriptionA regression re-introduced automatic disk probing again which potentially allowed to uses to access arbitrary files (CVE-2011-2178).
    last seen2020-06-01
    modified2020-06-02
    plugin id75929
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75929
    titleopenSUSE Security Update : libvirt (openSUSE-SU-2011:0643-1)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update libvirt-4712.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(75929);
  script_version("1.4");
  script_cvs_date("Date: 2019/10/25 13:36:42");

  script_cve_id("CVE-2011-2178");

  script_name(english:"openSUSE Security Update : libvirt (openSUSE-SU-2011:0643-1)");
  script_summary(english:"Check for the libvirt-4712 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A regression re-introduced automatic disk probing again which
potentially allowed to uses to access arbitrary files (CVE-2011-2178)."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=697904"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2011-06/msg00030.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libvirt packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:S/C:C/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt-client-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt-python");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvirt-python-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/06/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE11.4", reference:"libvirt-0.8.8-0.10.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libvirt-client-0.8.8-0.10.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libvirt-client-debuginfo-0.8.8-0.10.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libvirt-debuginfo-0.8.8-0.10.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libvirt-debugsource-0.8.8-0.10.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libvirt-devel-0.8.8-0.10.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libvirt-python-0.8.8-0.10.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libvirt-python-debuginfo-0.8.8-0.10.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt / libvirt-client / libvirt-devel / libvirt-python / etc");
}
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201202-07.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201202-07 (libvirt: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libvirt. Please review the CVE identifiers referenced below for details. Impact : These vulnerabilities allow a remote attacker to cause a Denial of Service condition on the host server or libvirt daemon, or might allow guest OS users to read arbitrary files on the host OS. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id58139
    published2012-02-28
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58139
    titleGLSA-201202-07 : libvirt: Multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1152-1.NASL
    descriptionIt was discovered that libvirt did not use thread-safe error reporting. A remote attacker could exploit this to cause a denial of service via application crash. (CVE-2011-1486) Eric Blake discovered that libvirt had an off-by-one error which could be used to reopen disk probing and bypass the fix for CVE-2010-2238. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 11.04. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2011-2178). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id55167
    published2011-06-17
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55167
    titleUbuntu 10.04 LTS / 10.10 / 11.04 : libvirt vulnerabilities (USN-1152-1)

References