Vulnerabilities > CVE-2013-0170 - Use After Free vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
redhat
suse
opensuse
fedoraproject
canonical
CWE-416
nessus
NVD
Published: 2013-02-08
Updated: 2023-02-13

Summary

Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c in libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3, 0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering certain errors during an RPC connection, which causes a message to be freed without being removed from the message queue.

Vulnerable Configurations

Part Description Count
Application
Redhat
31
OS
Suse
3
OS
Opensuse
2
OS
Fedoraproject
3
OS
Redhat
4
OS
Canonical
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-1626.NASL
    description - Rebased to version 0.9.11.9 - CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-02-08
    plugin id64496
    published2013-02-08
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64496
    titleFedora 17 : libvirt-0.9.11.9-1.fc17 (2013-1626)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-1642.NASL
    description - Rebased to version 0.9.6.4 - CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-02-08
    plugin id64497
    published2013-02-08
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64497
    titleFedora 16 : libvirt-0.9.6.4-1.fc16 (2013-1642)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-105.NASL
    descriptionlibvirt was updated to fix some bugs and security issues : Security issues fixed : - Fix crash on error paths of message dispatching, CVE-2013-0170 bnc#800976 - security: Fix libvirtd crash possibility CVE-2012-4423 bnc#780432 Also bugs were fixed : - qemu: Fix probing for guest capabilities bnc#772586 - xen-xm: Generate UUID if not specified bnc#773626 - xenParseXM: don
    last seen2020-06-05
    modified2014-06-13
    plugin id74880
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74880
    titleopenSUSE Security Update : libvirt (openSUSE-SU-2013:0274-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-108.NASL
    description - Update to libvirt 0.9.11.9 stable release - Fixes CVE-2013-0170 by including cherry picked master commit 46532e3e, bnc#800976 - Fix starting lxc VM e.g from OpenStack bnc#793900 and rh#858104
    last seen2020-06-05
    modified2014-06-13
    plugin id74883
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74883
    titleopenSUSE Security Update : libvirt (openSUSE-SU-2013:0275-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2013-0199.NASL
    descriptionFrom Red Hat Security Advisory 2013:0199 : Updated libvirt packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) This issue was discovered by Tingting Zheng of Red Hat. All users of libvirt are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, libvirtd will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id68716
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68716
    titleOracle Linux 6 : libvirt (ELSA-2013-0199)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20130128_LIBVIRT_ON_SL6_X.NASL
    descriptionA flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) After installing the updated packages, libvirtd will be restarted automatically.
    last seen2020-03-18
    modified2013-01-29
    plugin id64282
    published2013-01-29
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/64282
    titleScientific Linux Security Update : libvirt on SL6.x i386/x86_64 (20130128)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201309-18.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201309-18 (libvirt: Multiple vulnerabilities) An error in the virNetMessageFree() function in rpc/virnetserverclient.c can lead to a use-after-free. Additionally, a socket leak in the remoteDispatchStoragePoolListAllVolumes command can lead to file descriptor exhaustion. Impact : A remote attacker could cause certain errors during an RPC connection to cause a message to be freed without being removed from the message queue, possibly resulting in execution of arbitrary code or a Denial of Service condition. Additionally, a remote attacker could repeatedly issue the command to list all pool volumes, causing a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id70130
    published2013-09-26
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70130
    titleGLSA-201309-18 : libvirt: Multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1708-1.NASL
    descriptionWenlong Huang discovered that libvirt incorrectly handled certain RPC calls. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-4423) Tingting Zheng discovered that libvirt incorrectly handled cleanup under certain error conditions. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-0170). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id64289
    published2013-01-30
    reporterUbuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/64289
    titleUbuntu 12.04 LTS / 12.10 : libvirt vulnerabilities (USN-1708-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-0199.NASL
    descriptionUpdated libvirt packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) This issue was discovered by Tingting Zheng of Red Hat. All users of libvirt are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, libvirtd will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id64280
    published2013-01-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/64280
    titleRHEL 6 : libvirt (RHSA-2013:0199)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2013-0199.NASL
    descriptionUpdated libvirt packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) This issue was discovered by Tingting Zheng of Red Hat. All users of libvirt are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, libvirtd will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id67096
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67096
    titleCentOS 6 : libvirt (CESA-2013:0199)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_LIBVIRT-130205.NASL
    descriptionlibvirt was updated to fix the following security issue : - A flaw was found in the way message freeing on connection cleanup was handled under certain error conditions. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd or, potentially, escalate their privilages to that of libvirtd process. (CVE-2013-0170) Also following bug has been fixed : - Add managedSave functions to legacy xen driver (bnc#782311)
    last seen2020-06-05
    modified2013-02-21
    plugin id64781
    published2013-02-21
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64781
    titleSuSE 11.2 Security Update : libvirt (SAT Patch Number 7310)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-1644.NASL
    description - Rebased to version 0.10.2.3 - Fix libxl driver to build against xen 4.2 (bz #870689) - Fix possible crash when destroying guests (bz #877110) - Fix loading sysctl file (bz #887017) - Fix svirt memory leak (bz #890039) - Fix attaching PCI netdev to VM (bz #893131) - Fix libvirtd segfault on shutdown (bz #903184) - Raise mem limit to stop qemu processes from getting OOM killed (bz #903432) - CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-02-06
    plugin id64477
    published2013-02-06
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64477
    titleFedora 18 : libvirt-0.10.2.3-1.fc18 (2013-1644)

Redhat

advisories
bugzilla
id893450
titleCVE-2013-0170 libvirt: use-after-free in virNetMessageFree()
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentlibvirt-devel is earlier than 0:0.9.10-21.el6_3.8
          ovaloval:com.redhat.rhsa:tst:20130199001
        • commentlibvirt-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20131581004
      • AND
        • commentlibvirt-lock-sanlock is earlier than 0:0.9.10-21.el6_3.8
          ovaloval:com.redhat.rhsa:tst:20130199003
        • commentlibvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20131581002
      • AND
        • commentlibvirt-client is earlier than 0:0.9.10-21.el6_3.8
          ovaloval:com.redhat.rhsa:tst:20130199005
        • commentlibvirt-client is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20131581008
      • AND
        • commentlibvirt is earlier than 0:0.9.10-21.el6_3.8
          ovaloval:com.redhat.rhsa:tst:20130199007
        • commentlibvirt is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20131581010
      • AND
        • commentlibvirt-python is earlier than 0:0.9.10-21.el6_3.8
          ovaloval:com.redhat.rhsa:tst:20130199009
        • commentlibvirt-python is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20131581006
rhsa
idRHSA-2013:0199
released2013-01-28
severityImportant
titleRHSA-2013:0199: libvirt security update (Important)
rpms
  • libvirt-0:0.9.10-21.el6_3.8
  • libvirt-client-0:0.9.10-21.el6_3.8
  • libvirt-debuginfo-0:0.9.10-21.el6_3.8
  • libvirt-devel-0:0.9.10-21.el6_3.8
  • libvirt-lock-sanlock-0:0.9.10-21.el6_3.8
  • libvirt-python-0:0.9.10-21.el6_3.8

References