Vulnerabilities > CVE-2018-1064 - Resource Exhaustion vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

debian

redhat

CWE-400

nessus

NVD

Published: 2018-03-28

Updated: 2023-11-07

Summary

libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent.

Vulnerable Configurations

Part	Description	Count
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 7.0 Debian Debian Linux 9.0	3
Application	Redhat Redhat Libvirt - Redhat Libvirt 0.0.1 Redhat Libvirt 0.0.2 Redhat Libvirt 0.0.3 Redhat Libvirt 0.0.4 Redhat Libvirt 0.0.5 Redhat Libvirt 0.0.6 Redhat Libvirt 0.1.0 Redhat Libvirt 0.1.1 Redhat Libvirt 0.1.3 Redhat Libvirt 0.1.4 Redhat Libvirt 0.1.5 Redhat Libvirt 0.1.6 Redhat Libvirt 0.1.7 Redhat Libvirt 0.1.8 Redhat Libvirt 0.1.9 Redhat Libvirt 0.1.10 Redhat Libvirt 0.1.11 Redhat Libvirt 0.2.0 Redhat Libvirt 0.2.1 Redhat Libvirt 0.2.2 Redhat Libvirt 0.2.3 Redhat Libvirt 0.3.0 Redhat Libvirt 0.3.1 Redhat Libvirt 0.3.2 Redhat Libvirt 0.3.3 Redhat Libvirt 0.4.0 Redhat Libvirt 0.4.1 Redhat Libvirt 0.4.2 Redhat Libvirt 0.4.3 Redhat Libvirt 0.4.4 Redhat Libvirt 0.4.5 Redhat Libvirt 0.4.6 Redhat Libvirt 0.5.0 Redhat Libvirt 0.5.1 Redhat Libvirt 0.6.0 Redhat Libvirt 0.6.1 Redhat Libvirt 0.6.2 Redhat Libvirt 0.6.3 Redhat Libvirt 0.6.4 Redhat Libvirt 0.6.5 Redhat Libvirt 0.7.0 Redhat Libvirt 0.7.1 Redhat Libvirt 0.7.2 Redhat Libvirt 0.7.3 Redhat Libvirt 0.7.4 Redhat Libvirt 0.7.5 Redhat Libvirt 0.7.6 Redhat Libvirt 0.7.7 Redhat Libvirt 0.8.0 Redhat Libvirt 0.8.1 Redhat Libvirt 0.8.2 Redhat Libvirt 0.8.3 Redhat Libvirt 0.8.4 Redhat Libvirt 0.8.5 Redhat Libvirt 0.8.6 Redhat Libvirt 0.8.7 Redhat Libvirt 0.8.8 Redhat Libvirt 0.9.0 Redhat Libvirt 0.9.1 Redhat Libvirt 0.9.2 Redhat Libvirt 0.9.3 Redhat Libvirt 0.9.4 Redhat Libvirt 0.9.5 Redhat Libvirt 0.9.6 Redhat Libvirt 0.9.6.1 Redhat Libvirt 0.9.6.2 Redhat Libvirt 0.9.6.3 Redhat Libvirt 0.9.6.4 Redhat Libvirt 0.9.7 Redhat Libvirt 0.9.8 Redhat Libvirt 0.9.9 Redhat Libvirt 0.9.10 Redhat Libvirt 0.9.11 Redhat Libvirt 0.9.11.1 Redhat Libvirt 0.9.11.2 Redhat Libvirt 0.9.11.3 Redhat Libvirt 0.9.11.4 Redhat Libvirt 0.9.11.5 Redhat Libvirt 0.9.11.6 Redhat Libvirt 0.9.11.7 Redhat Libvirt 0.9.11.8 Redhat Libvirt 0.9.11.9 Redhat Libvirt 0.9.11.10 Redhat Libvirt 0.9.12 Redhat Libvirt 0.9.12.1 Redhat Libvirt 0.9.12.2 Redhat Libvirt 0.9.12.3 Redhat Libvirt 0.9.13 Redhat Libvirt 0.10.0 Redhat Libvirt 0.10.1 Redhat Libvirt 0.10.2 Redhat Libvirt 0.10.2.1 Redhat Libvirt 0.10.2.2 Redhat Libvirt 0.10.2.3 Redhat Libvirt 0.10.2.4 Redhat Libvirt 0.10.2.5 Redhat Libvirt 0.10.2.6 Redhat Libvirt 0.10.2.7 Redhat Libvirt 0.10.2.8 Redhat Libvirt 1.0.0 Redhat Libvirt 1.0.1 Redhat Libvirt 1.0.2 Redhat Libvirt 1.0.3 Redhat Libvirt 1.0.4 Redhat Libvirt 1.0.5 Redhat Libvirt 1.0.5.1 Redhat Libvirt 1.0.5.2 Redhat Libvirt 1.0.5.3 Redhat Libvirt 1.0.5.4 Redhat Libvirt 1.0.5.5 Redhat Libvirt 1.0.5.6 Redhat Libvirt 1.0.5.7 Redhat Libvirt 1.0.5.8 Redhat Libvirt 1.0.5.9 Redhat Libvirt 1.0.6 Redhat Libvirt 1.1.0 Redhat Libvirt 1.1.1 Redhat Libvirt 1.1.2 Redhat Libvirt 1.1.3 Redhat Libvirt 1.1.3.1 Redhat Libvirt 1.1.3.2 Redhat Libvirt 1.1.3.3 Redhat Libvirt 1.1.3.4 Redhat Libvirt 1.1.3.5 Redhat Libvirt 1.1.3.6 Redhat Libvirt 1.1.3.7 Redhat Libvirt 1.1.3.8 Redhat Libvirt 1.1.3.9 Redhat Libvirt 1.1.4 Redhat Libvirt 1.2.0 Redhat Libvirt 1.2.1 Redhat Libvirt 1.2.2 Redhat Libvirt 1.2.3 Redhat Libvirt 1.2.4 Redhat Libvirt 1.2.5 Redhat Libvirt 1.2.6 Redhat Libvirt 1.2.7 Redhat Libvirt 1.2.8 Redhat Libvirt 1.2.9 Redhat Libvirt 1.2.9.1 Redhat Libvirt 1.2.9.2 Redhat Libvirt 1.2.9.3 Redhat Libvirt 1.2.10 Redhat Libvirt 1.2.11 Redhat Libvirt 1.2.12 Redhat Libvirt 1.2.13 Redhat Libvirt 1.2.13.1 Redhat Libvirt 1.2.13.2 Redhat Libvirt 1.2.14 Redhat Libvirt 1.2.15 Redhat Libvirt 1.2.16 Redhat Libvirt 1.2.17 Redhat Libvirt 1.2.18 Redhat Libvirt 1.2.18.1 Redhat Libvirt 1.2.18.2 Redhat Libvirt 1.2.18.3 Redhat Libvirt 1.2.18.4 Redhat Libvirt 1.2.19 Redhat Libvirt 1.2.20 Redhat Libvirt 1.2.21 Redhat Libvirt 1.3.0 Redhat Libvirt 1.3.1 Redhat Libvirt 1.3.2 Redhat Libvirt 1.3.3 Redhat Libvirt 1.3.3.1 Redhat Libvirt 1.3.3.2 Redhat Libvirt 1.3.3.3 Redhat Libvirt 1.3.4 Redhat Libvirt 1.3.5 Redhat Libvirt 1.40.0 Redhat Libvirt 2.0.0 Redhat Libvirt 2.1.0 Redhat Libvirt 2.2.0 Redhat Libvirt 2.2.1 Redhat Libvirt 2.3.0 Redhat Libvirt 2.4.0 Redhat Libvirt 2.5.0 Redhat Libvirt 3.0.0 Redhat Libvirt 3.1.0 Redhat Libvirt 3.2.0 Redhat Libvirt 3.2.1 Redhat Libvirt 3.3.0 Redhat Libvirt 3.4.0 Redhat Libvirt 3.5.0 Redhat Libvirt 3.6.0 Redhat Libvirt 3.7.0 Redhat Libvirt 3.8.0 Redhat Libvirt 3.9.0 Redhat Libvirt 3.10.0 Redhat Libvirt 4.0.0 Redhat Libvirt 4.1.0	363

Common Weakness Enumeration (CWE)

CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Common Attack Pattern Enumeration and Classification (CAPEC)

XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
XML Entity Expansion
An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
Inducing Account Lockout
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2018-1396.NASL
description	An update for libvirt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es) : * libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) * libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1064 issue was discovered by Daniel P. Berrange (Red Hat) and the CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat). Bug Fix(es) : * Previously, the check for a non-unique device boot order did not properly handle updates of existing devices when a new device was attached to a guest. Consequently, updating any device with a specified boot order failed. With this update, the duplicity check detects correctly handles updates and ignores the original device, which avoids reporting false conflicts. As a result, updating a device with a boot order succeeds. (BZ# 1557922) * In Red Hat Enterprise Linux 7.5, guests with SCSI passthrough enabled failed to boot because of changes in kernel CGroup detection. With this update, libvirt fetches dependencies and adds them to the device CGroup. As a result, and the affected guests now start as expected. (BZ#1564996) * The VMX parser in libvirt did not parse more than four network interfaces. As a consequence, the esx driver did not expose more than four network interface cards (NICs) for guests running ESXi. With this update, the VMX parser parses all the available NICs in .vmx files. As a result, libvirt reports all the NICs of guests running ESXi. (BZ#1566524) * Previously, user aliases for PTY devices that were longer than 32 characters were not supported. Consequently, if a domain included a PTY device with a user alias longer than 32 characters, the domain would not start. With this update, a static buffer was replaced with a dynamic buffer. As a result, the domain starts even if the length of the user alias for a PTY device is longer than 32 characters. (BZ#1566525)
last seen	2020-06-01
modified	2020-06-02
plugin id	109833
published	2018-05-16
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109833
title	RHEL 7 : libvirt (RHSA-2018:1396)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:1396. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(109833); script_version("1.7"); script_cvs_date("Date: 2019/10/24 15:35:44"); script_cve_id("CVE-2018-1064", "CVE-2018-5748"); script_xref(name:"RHSA", value:"2018:1396"); script_name(english:"RHEL 7 : libvirt (RHSA-2018:1396)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for libvirt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es) : * libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) * libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1064 issue was discovered by Daniel P. Berrange (Red Hat) and the CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat). Bug Fix(es) : * Previously, the check for a non-unique device boot order did not properly handle updates of existing devices when a new device was attached to a guest. Consequently, updating any device with a specified boot order failed. With this update, the duplicity check detects correctly handles updates and ignores the original device, which avoids reporting false conflicts. As a result, updating a device with a boot order succeeds. (BZ# 1557922) * In Red Hat Enterprise Linux 7.5, guests with SCSI passthrough enabled failed to boot because of changes in kernel CGroup detection. With this update, libvirt fetches dependencies and adds them to the device CGroup. As a result, and the affected guests now start as expected. (BZ#1564996) * The VMX parser in libvirt did not parse more than four network interfaces. As a consequence, the esx driver did not expose more than four network interface cards (NICs) for guests running ESXi. With this update, the VMX parser parses all the available NICs in .vmx files. As a result, libvirt reports all the NICs of guests running ESXi. (BZ#1566524) * Previously, user aliases for PTY devices that were longer than 32 characters were not supported. Consequently, if a domain included a PTY device with a user alias longer than 32 characters, the domain would not start. With this update, a static buffer was replaced with a dynamic buffer. As a result, the domain starts even if the length of the user alias for a PTY device is longer than 32 characters. (BZ#1566525)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1396" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-1064" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-5748" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-config-network"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-config-nwfilter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-interface"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-lxc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-network"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-nodedev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-nwfilter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-qemu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-secret"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-disk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-gluster"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-iscsi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-logical"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-mpath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-rbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-driver-storage-scsi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-daemon-lxc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-lock-sanlock"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-login-shell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvirt-nss"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/25"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:1396"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-admin-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-admin-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", reference:"libvirt-client-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-config-network-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-config-network-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-config-nwfilter-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-config-nwfilter-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-interface-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-interface-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-lxc-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-lxc-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-network-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-network-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-nodedev-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-nodedev-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-nwfilter-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-nwfilter-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-qemu-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-qemu-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-secret-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-secret-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-storage-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-storage-core-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-core-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-storage-disk-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-disk-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-gluster-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-storage-iscsi-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-iscsi-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-storage-logical-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-logical-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-storage-mpath-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-mpath-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-rbd-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-driver-storage-scsi-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-scsi-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-kvm-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-kvm-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-daemon-lxc-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-daemon-lxc-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", reference:"libvirt-debuginfo-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", reference:"libvirt-devel-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-docs-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-docs-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", reference:"libvirt-libs-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-lock-sanlock-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-lock-sanlock-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libvirt-login-shell-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvirt-login-shell-3.9.0-14.el7_5.4")) flag++; if (rpm_check(release:"RHEL7", reference:"libvirt-nss-3.9.0-14.el7_5.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt / libvirt-admin / libvirt-client / libvirt-daemon / etc"); } }

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20180619_LIBVIRT_ON_SL6_X.NASL
description	Security Fix(es) : - libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) - libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064)
last seen	2020-03-18
modified	2018-07-03
plugin id	110888
published	2018-07-03
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110888
title	Scientific Linux Security Update : libvirt on SL6.x i386/x86_64 (20180619)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(110888); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2018-1064", "CVE-2018-5748"); script_name(english:"Scientific Linux Security Update : libvirt on SL6.x i386/x86_64 (20180619)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) - libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1807&L=scientific-linux-errata&F=&S=&P=2766 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?25c231b9" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-lock-sanlock"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-python"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/25"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"libvirt-0.10.2-64.el6")) flag++; if (rpm_check(release:"SL6", reference:"libvirt-client-0.10.2-64.el6")) flag++; if (rpm_check(release:"SL6", reference:"libvirt-debuginfo-0.10.2-64.el6")) flag++; if (rpm_check(release:"SL6", reference:"libvirt-devel-0.10.2-64.el6")) flag++; if (rpm_check(release:"SL6", cpu:"x86_64", reference:"libvirt-lock-sanlock-0.10.2-64.el6")) flag++; if (rpm_check(release:"SL6", reference:"libvirt-python-0.10.2-64.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt / libvirt-client / libvirt-debuginfo / libvirt-devel / etc"); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4137.NASL
description	Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library : - CVE-2018-1064 Daniel Berrange discovered that the QEMU guest agent performed insufficient validation of incoming data, which allows a privileged user in the guest to exhaust resources on the virtualisation host, resulting in denial of service. - CVE-2018-5748 Daniel Berrange and Peter Krempa discovered that the QEMU monitor was susceptible to denial of service by memory exhaustion. This was already fixed in Debian stretch and only affects Debian jessie. - CVE-2018-6764 Pedro Sampaio discovered that LXC containers detected the hostname insecurely. This only affects Debian stretch.
last seen	2020-06-01
modified	2020-06-02
plugin id	108346
published	2018-03-15
reporter	This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108346
title	Debian DSA-4137-1 : libvirt - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4137. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(108346); script_version("1.5"); script_cvs_date("Date: 2018/11/13 12:30:46"); script_cve_id("CVE-2018-1064", "CVE-2018-5748", "CVE-2018-6764"); script_xref(name:"DSA", value:"4137"); script_name(english:"Debian DSA-4137-1 : libvirt - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library : - CVE-2018-1064 Daniel Berrange discovered that the QEMU guest agent performed insufficient validation of incoming data, which allows a privileged user in the guest to exhaust resources on the virtualisation host, resulting in denial of service. - CVE-2018-5748 Daniel Berrange and Peter Krempa discovered that the QEMU monitor was susceptible to denial of service by memory exhaustion. This was already fixed in Debian stretch and only affects Debian jessie. - CVE-2018-6764 Pedro Sampaio discovered that LXC containers detected the hostname insecurely. This only affects Debian stretch." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-1064" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-5748" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-6764" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/libvirt" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/libvirt" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/libvirt" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2018/dsa-4137" ); script_set_attribute( attribute:"solution", value: "Upgrade the libvirt packages. For the oldstable distribution (jessie), these problems have been fixed in version 1.2.9-9+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 3.0.0-4+deb9u3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvirt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libvirt-bin", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt-clients", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt-daemon", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt-daemon-system", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt-dev", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt-doc", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt-sanlock", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt0", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libvirt0-dbg", reference:"1.2.9-9+deb8u5")) flag++; if (deb_check(release:"9.0", prefix:"libnss-libvirt", reference:"3.0.0-4+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"libvirt-clients", reference:"3.0.0-4+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"libvirt-daemon", reference:"3.0.0-4+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"libvirt-daemon-system", reference:"3.0.0-4+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"libvirt-dev", reference:"3.0.0-4+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"libvirt-doc", reference:"3.0.0-4+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"libvirt-sanlock", reference:"3.0.0-4+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"libvirt0", reference:"3.0.0-4+deb9u3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-1_0-0129_LIBVIRT.NASL
description	An update of the libvirt package has been released.
last seen	2020-03-17
modified	2019-02-07
plugin id	121833
published	2019-02-07
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121833
title	Photon OS 1.0: Libvirt PHSA-2018-1.0-0129
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-1.0-0129. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(121833); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/02/07"); script_cve_id("CVE-2018-1064"); script_name(english:"Photon OS 1.0: Libvirt PHSA-2018-1.0-0129"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the libvirt package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-129.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1000140"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/27"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:libvirt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) \|\| release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux\|OS) 1\.0(\D\|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-1.0", reference:"libvirt-3.2.0-4.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"libvirt-debuginfo-3.2.0-4.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"libvirt-devel-3.2.0-4.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"libvirt-docs-3.2.0-4.ph1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt"); }

NASL family	Amazon Linux Local Security Checks
NASL id	AL2_ALAS-2018-1049.NASL
description	An incomplete fix for CVE-2018-5748 that affects QEMU monitor leading to a resource exhaustion but now also triggered via QEMU guest agent.(CVE-2018-1064) qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748) An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
last seen	2020-06-01
modified	2020-06-02
plugin id	111336
published	2018-07-26
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111336
title	Amazon Linux 2 : libvirt (ALAS-2018-1049) (Spectre)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1049. # include("compat.inc"); if (description) { script_id(111336); script_version("1.2"); script_cvs_date("Date: 2019/04/05 23:25:05"); script_cve_id("CVE-2018-1064", "CVE-2018-3639", "CVE-2018-5748"); script_xref(name:"ALAS", value:"2018-1049"); script_name(english:"Amazon Linux 2 : libvirt (ALAS-2018-1049) (Spectre)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "An incomplete fix for CVE-2018-5748 that affects QEMU monitor leading to a resource exhaustion but now also triggered via QEMU guest agent.(CVE-2018-1064) qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748) An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.(CVE-2018-3639)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1049.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update libvirt' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-config-network"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-config-nwfilter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-interface"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-lxc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-network"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-nodedev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-nwfilter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-qemu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-secret"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-disk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-gluster"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-iscsi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-logical"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-mpath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-rbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-driver-storage-scsi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-daemon-lxc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-lock-sanlock"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-login-shell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libvirt-nss"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/24"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) \|\| !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A\|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-admin-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-client-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-config-network-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-config-nwfilter-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-interface-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-lxc-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-network-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-nodedev-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-nwfilter-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-qemu-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-secret-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-core-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-disk-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-gluster-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-iscsi-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-logical-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-mpath-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-rbd-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-scsi-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-kvm-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-daemon-lxc-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-debuginfo-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-devel-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-docs-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-libs-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-lock-sanlock-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-login-shell-3.9.0-14.amzn2.6")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"libvirt-nss-3.9.0-14.amzn2.6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt / libvirt-admin / libvirt-client / libvirt-daemon / etc"); }

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2018-1929.NASL
description	An update for libvirt is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es) : * libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) * libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat), and the CVE-2018-1064 issue was discovered by Daniel P. Berrange (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	110651
published	2018-06-22
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110651
title	CentOS 6 : libvirt (CESA-2018:1929)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2018-1396.NASL
description	From Red Hat Security Advisory 2018:1396 : An update for libvirt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es) : * libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) * libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1064 issue was discovered by Daniel P. Berrange (Red Hat) and the CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat). Bug Fix(es) : * Previously, the check for a non-unique device boot order did not properly handle updates of existing devices when a new device was attached to a guest. Consequently, updating any device with a specified boot order failed. With this update, the duplicity check detects correctly handles updates and ignores the original device, which avoids reporting false conflicts. As a result, updating a device with a boot order succeeds. (BZ# 1557922) * In Red Hat Enterprise Linux 7.5, guests with SCSI passthrough enabled failed to boot because of changes in kernel CGroup detection. With this update, libvirt fetches dependencies and adds them to the device CGroup. As a result, and the affected guests now start as expected. (BZ#1564996) * The VMX parser in libvirt did not parse more than four network interfaces. As a consequence, the esx driver did not expose more than four network interface cards (NICs) for guests running ESXi. With this update, the VMX parser parses all the available NICs in .vmx files. As a result, libvirt reports all the NICs of guests running ESXi. (BZ#1566524) * Previously, user aliases for PTY devices that were longer than 32 characters were not supported. Consequently, if a domain included a PTY device with a user alias longer than 32 characters, the domain would not start. With this update, a static buffer was replaced with a dynamic buffer. As a result, the domain starts even if the length of the user alias for a PTY device is longer than 32 characters. (BZ#1566525)
last seen	2020-06-01
modified	2020-06-02
plugin id	109808
published	2018-05-15
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109808
title	Oracle Linux 7 : libvirt (ELSA-2018-1396)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2018-1929.NASL
description	An update for libvirt is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es) : * libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) * libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat), and the CVE-2018-1064 issue was discovered by Daniel P. Berrange (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	110606
published	2018-06-19
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110606
title	RHEL 6 : libvirt (RHSA-2018:1929)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0861-1.NASL
description	This update for libvirt fixes the following issues: Security issues fixed : - CVE-2017-5715: Fixes for speculative side channel attacks aka
last seen	2020-06-01
modified	2020-06-02
plugin id	108827
published	2018-04-04
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108827
title	SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2018:0861-1) (Spectre)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-2141-1.NASL
description	This update for libvirt fixes the following issues: Security issues fixed : - CVE-2018-3639: Add support for
last seen	2020-06-01
modified	2020-06-02
plugin id	111503
published	2018-08-02
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111503
title	SUSE SLES12 Security Update : libvirt (SUSE-SU-2018:2141-1) (Spectre)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0838-1.NASL
description	This update for libvirt fixes the following issues: Security issues fixed : - CVE-2017-5715: Fixes for speculative side channel attacks aka
last seen	2020-06-01
modified	2020-06-02
plugin id	108745
published	2018-03-30
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108745
title	SUSE SLES11 Security Update : libvirt (SUSE-SU-2018:0838-1) (Spectre)

NASL family	Junos Local Security Checks
NASL id	JUNIPER_SPACE_JSA10917_184R1.NASL
description	According to its self-reported version number, the remote Junos Space version is 18.4.x prior to 18.4R1. It is, therefore, affected by multiple vulnerabilities : - An integer overflow issue exists in procps-ng. This is related to CVE-2018-1124. (CVE-2018-1126) - A directory traversal issue exits in reposync, a part of yum-utils.tory configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. (CVE-2018-10897) - An integer overflow flaw was found in the Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	121068
published	2019-01-10
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121068
title	Juniper Junos Space 18.4.x < 18.4R1 Multiple Vulnerabilities (JSA10917)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2018-358.NASL
description	This update for libvirt and virt-manager fixes the following issues : Security issues fixed : - CVE-2017-5715: Fixes for speculative side channel attacks aka
last seen	2020-06-05
modified	2018-04-13
plugin id	109020
published	2018-04-13
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109020
title	openSUSE Security Update : libvirt (openSUSE-2018-358) (Spectre)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-1_0-0129.NASL
description	An update of 'libvirt', 'librelp' packages of Photon OS has been released.
last seen	2019-02-21
modified	2019-02-07
plugin id	111931
published	2018-08-17
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=111931
title	Photon OS 1.0: Librelp / Libvirt PHSA-2018-1.0-0129 (deprecated)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2468.NASL
description	According to the versions of the libvirt packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12126) - Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2019-11091) - Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12130) - Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12127) - An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.(CVE-2019-3886) - libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent.(CVE-2018-1064) - qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748) - Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.(CVE-2018-3639) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-08
modified	2019-12-04
plugin id	131621
published	2019-12-04
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131621
title	EulerOS 2.0 SP2 : libvirt (EulerOS-SA-2019-2468)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0132_LIBVIRT.NASL
description	The remote NewStart CGSL host, running version MAIN 4.05, has libvirt packages installed that are affected by multiple vulnerabilities: - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
last seen	2020-06-01
modified	2020-06-02
plugin id	127387
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127387
title	NewStart CGSL MAIN 4.05 : libvirt Multiple Vulnerabilities (NS-SA-2019-0132)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-2082-1.NASL
description	This update for libvirt fixes the following issues: Security issues fixed : - CVE-2017-5715: Fixes for speculative side channel attacks aka
last seen	2020-06-01
modified	2020-06-02
plugin id	111434
published	2018-07-30
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111434
title	SUSE SLES12 Security Update : libvirt (SUSE-SU-2018:2082-1) (Spectre)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2018-1253.NASL
description	According to the versions of the libvirt packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An incomplete fix for CVE-2018-5748 that affects QEMU monitor leading to a resource exhaustion but now also triggered via QEMU guest agent.(CVE-2018-1064) - util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.(CVE-2018-6764) - qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	117562
published	2018-09-18
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/117562
title	EulerOS Virtualization 2.5.1 : libvirt (EulerOS-SA-2018-1253)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2018-1197.NASL
description	According to the versions of the libvirt packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load i1/4+ Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
last seen	2020-05-06
modified	2018-07-03
plugin id	110861
published	2018-07-03
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110861
title	EulerOS 2.0 SP3 : libvirt (EulerOS-SA-2018-1197)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1315.NASL
description	Daniel P. Berrange and Peter Krempa of Red Hat discovered a flaw in libvirt, a virtualization API. A lack of restriction for the amount of data read by QEMU Monitor socket can lead to a denial of service by exhaustion of memory resources. For Debian 7
last seen	2020-03-17
modified	2018-03-27
plugin id	108605
published	2018-03-27
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108605
title	Debian DLA-1315-1 : libvirt security update

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-2_0-0039.NASL
description	An update of {'openjdk8', 'httpd', 'librelp', 'zsh', 'libvirt', 'libtiff'} packages of Photon OS has been released.
last seen	2019-02-21
modified	2019-02-07
plugin id	111298
published	2018-07-24
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=111298
title	Photon OS 2.0 : openjdk8 / httpd / librelp / zsh / libvirt (PhotonOS-PHSA-2018-2.0-0039) (deprecated)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-3680-1.NASL
description	Ken Johnson and Jann Horn independently discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via sidechannel attacks. An attacker in the guest could use this to expose sensitive guest information, including kernel memory. This update allows libvirt to expose new CPU features added by microcode updates to guests. (CVE-2018-3639) Daniel P. Berrange discovered that libvirt incorrectly handled the QEMU guest agent. An attacker could possibly use this issue to consume resources, leading to a denial of service. (CVE-2018-1064). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	110515
published	2018-06-13
reporter	Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110515
title	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : libvirt vulnerability and update (USN-3680-1) (Spectre)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-1295-1.NASL
description	This update for libvirt fixes the following issues: Security issues fixed : - CVE-2017-5715: Spectre fixes for libvirt (bsc#1079869, bsc#1088147, bsc#1087887). - CVE-2018-1064: Avoid denial of service reading from QEMU guest agent (bsc#1083625). - CVE-2018-5748: Avoid denial of service reading from QEMU monitor (bsc#1076500). Bug fixes : - bsc#1025340: Use xend for nodeGetFreeMemory API. - bsc#960742: Allow read access to script directories in libvirtd AppArmor profile. - bsc#936233: Introduce qemuDomainDefCheckABIStability. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	109861
published	2018-05-16
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109861
title	SUSE SLES11 Security Update : libvirt (SUSE-SU-2018:1295-1) (Spectre)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2018-1396.NASL
description	An update for libvirt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es) : * libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) * libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1064 issue was discovered by Daniel P. Berrange (Red Hat) and the CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat). Bug Fix(es) : * Previously, the check for a non-unique device boot order did not properly handle updates of existing devices when a new device was attached to a guest. Consequently, updating any device with a specified boot order failed. With this update, the duplicity check detects correctly handles updates and ignores the original device, which avoids reporting false conflicts. As a result, updating a device with a boot order succeeds. (BZ# 1557922) * In Red Hat Enterprise Linux 7.5, guests with SCSI passthrough enabled failed to boot because of changes in kernel CGroup detection. With this update, libvirt fetches dependencies and adds them to the device CGroup. As a result, and the affected guests now start as expected. (BZ#1564996) * The VMX parser in libvirt did not parse more than four network interfaces. As a consequence, the esx driver did not expose more than four network interface cards (NICs) for guests running ESXi. With this update, the VMX parser parses all the available NICs in .vmx files. As a result, libvirt reports all the NICs of guests running ESXi. (BZ#1566524) * Previously, user aliases for PTY devices that were longer than 32 characters were not supported. Consequently, if a domain included a PTY device with a user alias longer than 32 characters, the domain would not start. With this update, a static buffer was replaced with a dynamic buffer. As a result, the domain starts even if the length of the user alias for a PTY device is longer than 32 characters. (BZ#1566525)
last seen	2020-06-01
modified	2020-06-02
plugin id	110247
published	2018-05-31
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110247
title	CentOS 7 : libvirt (CESA-2018:1396)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2018-1929.NASL
description	From Red Hat Security Advisory 2018:1929 : An update for libvirt is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es) : * libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) * libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat), and the CVE-2018-1064 issue was discovered by Daniel P. Berrange (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	110706
published	2018-06-27
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110706
title	Oracle Linux 6 : libvirt (ELSA-2018-1929)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-2_0-0039_LIBVIRT.NASL
description	An update of the libvirt package has been released.
last seen	2020-03-17
modified	2019-02-07
plugin id	121937
published	2019-02-07
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121937
title	Photon OS 2.0: Libvirt PHSA-2018-2.0-0039

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0920-1.NASL
description	This update for libvirt and virt-manager fixes the following issues: Security issues fixed : - CVE-2017-5715: Fixes for speculative side channel attacks aka
last seen	2020-06-01
modified	2020-06-02
plugin id	109012
published	2018-04-12
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109012
title	SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2018:0920-1) (Spectre)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1394.NASL
description	According to the versions of the libvirt packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.(CVE-2018-6764) - qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748) - libvirt version 2.3.0 and later is vulnerable to a bad default configuration of
last seen	2020-06-01
modified	2020-06-02
plugin id	124897
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124897
title	EulerOS Virtualization for ARM 64 3.0.1.0 : libvirt (EulerOS-SA-2019-1394)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1456.NASL
description	According to the versions of the libvirt packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.(CVE-2018-6764) - qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748) - libvirt version 2.3.0 and later is vulnerable to a bad default configuration of
last seen	2020-06-01
modified	2020-06-02
plugin id	124959
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124959
title	EulerOS Virtualization 3.0.1.0 : libvirt (EulerOS-SA-2019-1456)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20180515_LIBVIRT_ON_SL7_X.NASL
description	Security Fix(es) : - libvirt: Resource exhaustion via qemuMonitorIORead() method (CVE-2018-5748) - libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent (CVE-2018-1064) The CVE-2018-1064 issue was discovered by Daniel P. Berrang (Red Hat) and the CVE-2018-5748 issue was discovered by Daniel P. Berrange (Red Hat) and Peter Krempa (Red Hat). Bug Fix(es) : - Previously, the check for a non-unique device boot order did not properly handle updates of existing devices when a new device was attached to a guest. Consequently, updating any device with a specified boot order failed. With this update, the duplicity check detects correctly handles updates and ignores the original device, which avoids reporting false conflicts. As a result, updating a device with a boot order succeeds. - In Scientific Linux 7.5, guests with SCSI passthrough enabled failed to boot because of changes in kernel CGroup detection. With this update, libvirt fetches dependencies and adds them to the device CGroup. As a result, and the affected guests now start as expected. - The VMX parser in libvirt did not parse more than four network interfaces. As a consequence, the esx driver did not expose more than four network interface cards (NICs) for guests running ESXi. With this update, the VMX parser parses all the available NICs in .vmx files. As a result, libvirt reports all the NICs of guests running ESXi. - Previously, user aliases for PTY devices that were longer than 32 characters were not supported. Consequently, if a domain included a PTY device with a user alias longer than 32 characters, the domain would not start. With this update, a static buffer was replaced with a dynamic buffer. As a result, the domain starts even if the length of the user alias for a PTY device is longer than 32 characters.
last seen	2020-03-18
modified	2018-05-16
plugin id	109853
published	2018-05-16
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109853
title	Scientific Linux Security Update : libvirt on SL7.x x86_64 (20180515)

Redhat

advisories

rhsa
id RHSA-2018:1396
rhsa
id RHSA-2018:1929

rpms

libvirt-0:3.9.0-14.el7_5.4
libvirt-admin-0:3.9.0-14.el7_5.4
libvirt-client-0:3.9.0-14.el7_5.4
libvirt-daemon-0:3.9.0-14.el7_5.4
libvirt-daemon-config-network-0:3.9.0-14.el7_5.4
libvirt-daemon-config-nwfilter-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-interface-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-lxc-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-network-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-nodedev-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-nwfilter-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-qemu-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-secret-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-core-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-disk-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-gluster-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-iscsi-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-logical-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-mpath-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-rbd-0:3.9.0-14.el7_5.4
libvirt-daemon-driver-storage-scsi-0:3.9.0-14.el7_5.4
libvirt-daemon-kvm-0:3.9.0-14.el7_5.4
libvirt-daemon-lxc-0:3.9.0-14.el7_5.4
libvirt-debuginfo-0:3.9.0-14.el7_5.4
libvirt-devel-0:3.9.0-14.el7_5.4
libvirt-docs-0:3.9.0-14.el7_5.4
libvirt-libs-0:3.9.0-14.el7_5.4
libvirt-lock-sanlock-0:3.9.0-14.el7_5.4
libvirt-login-shell-0:3.9.0-14.el7_5.4
libvirt-nss-0:3.9.0-14.el7_5.4
libvirt-0:0.10.2-64.el6
libvirt-client-0:0.10.2-64.el6
libvirt-debuginfo-0:0.10.2-64.el6
libvirt-devel-0:0.10.2-64.el6
libvirt-lock-sanlock-0:0.10.2-64.el6
libvirt-python-0:0.10.2-64.el6

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References