Lucene search

K
amazonAmazonALAS2-2020-1569
HistoryDec 08, 2020 - 9:30 p.m.

Medium: libvirt

2020-12-0821:30:00
alas.aws.amazon.com
15

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

13.1%

Issue Overview:

A double free memory issue was found to occur in the libvirt API responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25637)

Affected Packages:

libvirt

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update libvirt to update your system.

New Packages:

aarch64:  
    libvirt-4.5.0-36.amzn2.3.aarch64  
    libvirt-docs-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-config-network-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-config-nwfilter-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-network-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-nwfilter-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-nodedev-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-interface-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-secret-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-storage-core-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-storage-logical-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-storage-disk-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-storage-scsi-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-storage-iscsi-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-storage-mpath-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-storage-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-qemu-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-driver-lxc-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-kvm-4.5.0-36.amzn2.3.aarch64  
    libvirt-daemon-lxc-4.5.0-36.amzn2.3.aarch64  
    libvirt-client-4.5.0-36.amzn2.3.aarch64  
    libvirt-libs-4.5.0-36.amzn2.3.aarch64  
    libvirt-admin-4.5.0-36.amzn2.3.aarch64  
    libvirt-bash-completion-4.5.0-36.amzn2.3.aarch64  
    libvirt-login-shell-4.5.0-36.amzn2.3.aarch64  
    libvirt-devel-4.5.0-36.amzn2.3.aarch64  
    libvirt-lock-sanlock-4.5.0-36.amzn2.3.aarch64  
    libvirt-nss-4.5.0-36.amzn2.3.aarch64  
    libvirt-debuginfo-4.5.0-36.amzn2.3.aarch64  
  
i686:  
    libvirt-4.5.0-36.amzn2.3.i686  
    libvirt-docs-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-config-network-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-config-nwfilter-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-network-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-nwfilter-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-nodedev-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-interface-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-secret-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-storage-core-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-storage-logical-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-storage-disk-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-storage-scsi-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-storage-iscsi-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-storage-mpath-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-storage-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-driver-lxc-4.5.0-36.amzn2.3.i686  
    libvirt-daemon-lxc-4.5.0-36.amzn2.3.i686  
    libvirt-client-4.5.0-36.amzn2.3.i686  
    libvirt-libs-4.5.0-36.amzn2.3.i686  
    libvirt-admin-4.5.0-36.amzn2.3.i686  
    libvirt-bash-completion-4.5.0-36.amzn2.3.i686  
    libvirt-login-shell-4.5.0-36.amzn2.3.i686  
    libvirt-devel-4.5.0-36.amzn2.3.i686  
    libvirt-nss-4.5.0-36.amzn2.3.i686  
    libvirt-debuginfo-4.5.0-36.amzn2.3.i686  
  
src:  
    libvirt-4.5.0-36.amzn2.3.src  
  
x86_64:  
    libvirt-4.5.0-36.amzn2.3.x86_64  
    libvirt-docs-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-config-network-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-config-nwfilter-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-network-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-nwfilter-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-nodedev-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-interface-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-secret-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-core-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-logical-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-disk-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-scsi-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-iscsi-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-mpath-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-gluster-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-rbd-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-storage-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-qemu-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-driver-lxc-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-kvm-4.5.0-36.amzn2.3.x86_64  
    libvirt-daemon-lxc-4.5.0-36.amzn2.3.x86_64  
    libvirt-client-4.5.0-36.amzn2.3.x86_64  
    libvirt-libs-4.5.0-36.amzn2.3.x86_64  
    libvirt-admin-4.5.0-36.amzn2.3.x86_64  
    libvirt-bash-completion-4.5.0-36.amzn2.3.x86_64  
    libvirt-login-shell-4.5.0-36.amzn2.3.x86_64  
    libvirt-devel-4.5.0-36.amzn2.3.x86_64  
    libvirt-lock-sanlock-4.5.0-36.amzn2.3.x86_64  
    libvirt-nss-4.5.0-36.amzn2.3.x86_64  
    libvirt-debuginfo-4.5.0-36.amzn2.3.x86_64  

Additional References

Red Hat: CVE-2020-25637

Mitre: CVE-2020-25637

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

13.1%