Vulnerabilities > CVE-2014-3633 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1873.NASL
    descriptionUpdated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id79329
    published2014-11-19
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79329
    titleRHEL 6 : libvirt (RHSA-2014:1873)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-586.NASL
    description - CVE-2014-3657: Fix domain deadlock fc22b2e7-CVE-2014-3657.patch bsc#899484 - CVE-2014-3633: Use correct definition when looking up disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch bsc#897783 - spec: libvirt-daemon package owns /etc/libvirt, not libvirt-client bnc#878056
    last seen2020-06-05
    modified2014-10-15
    plugin id78451
    published2014-10-15
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78451
    titleopenSUSE Security Update : libvirt (openSUSE-SU-2014:1290-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-115.NASL
    descriptionUpdated libvirt packages fix security vulnerabilities : The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456). libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179). An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id82368
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82368
    titleMandriva Linux Security Advisory : libvirt (MDVSA-2015:115)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2366-1.NASL
    descriptionDaniel P. Berrange and Richard Jones discovered that libvirt incorrectly handled XML documents containing XML external entity declarations. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service on all affected releases, or possibly read arbitrary files if fine grained access control was enabled on Ubuntu 14.04 LTS. (CVE-2014-0179, CVE-2014-5177) Luyao Huang discovered that libvirt incorrectly handled certain blkiotune queries. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3633). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id78010
    published2014-10-01
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78010
    titleUbuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : libvirt vulnerabilities (USN-2366-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201412-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201412-04 (libvirt: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libvirt. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service or cause information leakage. A local attacker may be able to escalate privileges, cause a Denial of Service or possibly execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id79814
    published2014-12-09
    reporterThis script is Copyright (C) 2014-2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79814
    titleGLSA-201412-04 : libvirt: Multiple vulnerabilities
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-1352.NASL
    descriptionUpdated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id78043
    published2014-10-06
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78043
    titleCentOS 7 : libvirt (CESA-2014:1352)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-15228.NASL
    description - Rebased to version 1.1.3.8 - CVE-2014-3633: out-of-bounds read in blockiotune (bz #1160823) - CVE-2014-3657: Potential deadlock in domain_conf (bz #1160824) - CVE-2014-7823: information leak with migratable flag (bz #1160822) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-11-24
    plugin id79397
    published2014-11-24
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79397
    titleFedora 20 : libvirt-1.1.3.8-1.fc20 (2014-15228)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-1873.NASL
    descriptionUpdated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id79338
    published2014-11-20
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79338
    titleCentOS 6 : libvirt (CESA-2014:1873)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-1352.NASL
    descriptionFrom Red Hat Security Advisory 2014:1352 : Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id78022
    published2014-10-02
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78022
    titleOracle Linux 7 : libvirt (ELSA-2014-1352)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3038.NASL
    descriptionSeveral vulnerabilities were discovered in Libvirt, a virtualisation abstraction library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-0179 Richard Jones and Daniel P. Berrange found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a special file that blocks on read access could use this flaw to cause libvirtd to hang indefinitely, resulting in a denial of service on the system. - CVE-2014-3633 Luyao Huang of Red Hat found that the qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition, which could result into an out-of-bounds read access in qemuDomainGetBlockIoTune(). A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
    last seen2020-03-17
    modified2014-09-29
    plugin id77921
    published2014-09-29
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77921
    titleDebian DSA-3038-1 : libvirt - security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20141118_LIBVIRT_ON_SL6_X.NASL
    descriptionAn out-of-bounds read flaw was found in the way libvirt
    last seen2020-03-18
    modified2014-11-19
    plugin id79331
    published2014-11-19
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79331
    titleScientific Linux Security Update : libvirt on SL6.x i386/x86_64 (20141118)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-195.NASL
    descriptionMultiple vulnerabilities has been discovered and corrected in libvirt : An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id78062
    published2014-10-06
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78062
    titleMandriva Linux Security Advisory : libvirt (MDVSA-2014:195)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-585.NASL
    description - CVE-2014-3657: Fix domain deadlock fc22b2e7-CVE-2014-3657.patch bsc#899484 - CVE-2014-3633: Use correct definition when looking up disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch bsc#897783
    last seen2020-06-05
    modified2014-10-15
    plugin id78450
    published2014-10-15
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78450
    titleopenSUSE Security Update : libvirt (openSUSE-SU-2014:1293-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-1873.NASL
    descriptionFrom Red Hat Security Advisory 2014:1873 : Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id79372
    published2014-11-21
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79372
    titleOracle Linux 6 : libvirt (ELSA-2014-1873)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KVM-LIBVIRT-201412-150123.NASL
    descriptionThis collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add
    last seen2020-06-01
    modified2020-06-02
    plugin id81480
    published2015-02-24
    reporterThis script is Copyright (C) 2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81480
    titleSuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1352.NASL
    descriptionUpdated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt
    last seen2020-06-01
    modified2020-06-02
    plugin id78023
    published2014-10-02
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78023
    titleRHEL 7 : libvirt (RHSA-2014:1352)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KVM-LIBVIRT-201412-150124.NASL
    descriptionThis collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add
    last seen2020-06-01
    modified2020-06-02
    plugin id81481
    published2015-02-24
    reporterThis script is Copyright (C) 2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81481
    titleSuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)

Redhat

advisories
rhsa
idRHSA-2014:1352
rpms
  • libvirt-0:1.1.1-29.el7_0.3
  • libvirt-client-0:1.1.1-29.el7_0.3
  • libvirt-daemon-0:1.1.1-29.el7_0.3
  • libvirt-daemon-config-network-0:1.1.1-29.el7_0.3
  • libvirt-daemon-config-nwfilter-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-interface-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-lxc-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-network-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-nodedev-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-nwfilter-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-qemu-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-secret-0:1.1.1-29.el7_0.3
  • libvirt-daemon-driver-storage-0:1.1.1-29.el7_0.3
  • libvirt-daemon-kvm-0:1.1.1-29.el7_0.3
  • libvirt-daemon-lxc-0:1.1.1-29.el7_0.3
  • libvirt-debuginfo-0:1.1.1-29.el7_0.3
  • libvirt-devel-0:1.1.1-29.el7_0.3
  • libvirt-docs-0:1.1.1-29.el7_0.3
  • libvirt-lock-sanlock-0:1.1.1-29.el7_0.3
  • libvirt-login-shell-0:1.1.1-29.el7_0.3
  • libvirt-python-0:1.1.1-29.el7_0.3
  • libvirt-0:0.10.2-46.el6_6.2
  • libvirt-client-0:0.10.2-46.el6_6.2
  • libvirt-debuginfo-0:0.10.2-46.el6_6.2
  • libvirt-devel-0:0.10.2-46.el6_6.2
  • libvirt-lock-sanlock-0:0.10.2-46.el6_6.2
  • libvirt-python-0:0.10.2-46.el6_6.2