Vulnerabilities > CVE-2014-3633 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 3 | |
Application | 9 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1873.NASL description Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 79329 published 2014-11-19 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79329 title RHEL 6 : libvirt (RHSA-2014:1873) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-586.NASL description - CVE-2014-3657: Fix domain deadlock fc22b2e7-CVE-2014-3657.patch bsc#899484 - CVE-2014-3633: Use correct definition when looking up disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch bsc#897783 - spec: libvirt-daemon package owns /etc/libvirt, not libvirt-client bnc#878056 last seen 2020-06-05 modified 2014-10-15 plugin id 78451 published 2014-10-15 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78451 title openSUSE Security Update : libvirt (openSUSE-SU-2014:1290-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-115.NASL description Updated libvirt packages fix security vulnerabilities : The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456). libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179). An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 82368 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82368 title Mandriva Linux Security Advisory : libvirt (MDVSA-2015:115) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2366-1.NASL description Daniel P. Berrange and Richard Jones discovered that libvirt incorrectly handled XML documents containing XML external entity declarations. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service on all affected releases, or possibly read arbitrary files if fine grained access control was enabled on Ubuntu 14.04 LTS. (CVE-2014-0179, CVE-2014-5177) Luyao Huang discovered that libvirt incorrectly handled certain blkiotune queries. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3633). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 78010 published 2014-10-01 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78010 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : libvirt vulnerabilities (USN-2366-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201412-04.NASL description The remote host is affected by the vulnerability described in GLSA-201412-04 (libvirt: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libvirt. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service or cause information leakage. A local attacker may be able to escalate privileges, cause a Denial of Service or possibly execute arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 79814 published 2014-12-09 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79814 title GLSA-201412-04 : libvirt: Multiple vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1352.NASL description Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 78043 published 2014-10-06 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78043 title CentOS 7 : libvirt (CESA-2014:1352) NASL family Fedora Local Security Checks NASL id FEDORA_2014-15228.NASL description - Rebased to version 1.1.3.8 - CVE-2014-3633: out-of-bounds read in blockiotune (bz #1160823) - CVE-2014-3657: Potential deadlock in domain_conf (bz #1160824) - CVE-2014-7823: information leak with migratable flag (bz #1160822) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-11-24 plugin id 79397 published 2014-11-24 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79397 title Fedora 20 : libvirt-1.1.3.8-1.fc20 (2014-15228) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1873.NASL description Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 79338 published 2014-11-20 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79338 title CentOS 6 : libvirt (CESA-2014:1873) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1352.NASL description From Red Hat Security Advisory 2014:1352 : Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 78022 published 2014-10-02 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78022 title Oracle Linux 7 : libvirt (ELSA-2014-1352) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3038.NASL description Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-0179 Richard Jones and Daniel P. Berrange found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a special file that blocks on read access could use this flaw to cause libvirtd to hang indefinitely, resulting in a denial of service on the system. - CVE-2014-3633 Luyao Huang of Red Hat found that the qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition, which could result into an out-of-bounds read access in qemuDomainGetBlockIoTune(). A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. last seen 2020-03-17 modified 2014-09-29 plugin id 77921 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77921 title Debian DSA-3038-1 : libvirt - security update NASL family Scientific Linux Local Security Checks NASL id SL_20141118_LIBVIRT_ON_SL6_X.NASL description An out-of-bounds read flaw was found in the way libvirt last seen 2020-03-18 modified 2014-11-19 plugin id 79331 published 2014-11-19 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79331 title Scientific Linux Security Update : libvirt on SL6.x i386/x86_64 (20141118) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-195.NASL description Multiple vulnerabilities has been discovered and corrected in libvirt : An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 78062 published 2014-10-06 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78062 title Mandriva Linux Security Advisory : libvirt (MDVSA-2014:195) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-585.NASL description - CVE-2014-3657: Fix domain deadlock fc22b2e7-CVE-2014-3657.patch bsc#899484 - CVE-2014-3633: Use correct definition when looking up disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch bsc#897783 last seen 2020-06-05 modified 2014-10-15 plugin id 78450 published 2014-10-15 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78450 title openSUSE Security Update : libvirt (openSUSE-SU-2014:1293-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1873.NASL description From Red Hat Security Advisory 2014:1873 : Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 79372 published 2014-11-21 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79372 title Oracle Linux 6 : libvirt (ELSA-2014-1873) NASL family SuSE Local Security Checks NASL id SUSE_11_KVM-LIBVIRT-201412-150123.NASL description This collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add last seen 2020-06-01 modified 2020-06-02 plugin id 81480 published 2015-02-24 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81480 title SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1352.NASL description Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt last seen 2020-06-01 modified 2020-06-02 plugin id 78023 published 2014-10-02 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78023 title RHEL 7 : libvirt (RHSA-2014:1352) NASL family SuSE Local Security Checks NASL id SUSE_11_KVM-LIBVIRT-201412-150124.NASL description This collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add last seen 2020-06-01 modified 2020-06-02 plugin id 81481 published 2015-02-24 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81481 title SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)
Redhat
advisories |
| ||||
rpms |
|
References
- http://security.libvirt.org/2014/0004.html
- http://rhn.redhat.com/errata/RHSA-2014-1352.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00017.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00014.html
- http://secunia.com/advisories/60291
- http://www.ubuntu.com/usn/USN-2366-1
- http://www.debian.org/security/2014/dsa-3038
- http://secunia.com/advisories/60895
- http://security.gentoo.org/glsa/glsa-201412-04.xml
- http://libvirt.org/git/?p=libvirt.git%3Ba=commitdiff%3Bh=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b