Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.GENTOO_GLSA-202210-06.NASL
HistoryOct 16, 2022 - 12:00 a.m.

GLSA-202210-06 : libvirt: Multiple Vulnerabilities

2022-10-1600:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
10
JSON

The remote host is affected by the vulnerability described in GLSA-202210-06 (libvirt: Multiple Vulnerabilities)

  • A flaw was found in libvirt, where it leaked a file descriptor for /dev/mapper/control into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14339)

  • A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25637)

  • A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs’ dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
    (CVE-2021-3631)

  • An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. (CVE-2021-3667)

  • A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt’s API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd). (CVE-2022-0897)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# @NOAGENT@
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 202210-06.
#
# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include('compat.inc');

if (description)
{
  script_id(166166);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/09");

  script_cve_id(
    "CVE-2020-14339",
    "CVE-2020-25637",
    "CVE-2021-3631",
    "CVE-2021-3667",
    "CVE-2022-0897"
  );

  script_name(english:"GLSA-202210-06 : libvirt: Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"");
  script_set_attribute(attribute:"description", value:
"The remote host is affected by the vulnerability described in GLSA-202210-06 (libvirt: Multiple Vulnerabilities)

  - A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU
    process. This file descriptor allows for privileged operations to happen against the device-mapper on the
    host. This flaw allows a malicious guest user or process to perform operations outside of their standard
    permissions, potentially causing serious damage to the host operating system. The highest threat from this
    vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14339)

  - A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible
    for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit
    access control driver. Specifically, clients connecting to the read-write socket with limited ACL
    permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or
    potentially escalate their privileges on the system. The highest threat from this vulnerability is to data
    confidentiality and integrity as well as system availability. (CVE-2020-25637)

  - A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This
    flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out
    of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
    (CVE-2021-3631)

  - An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in
    the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly
    released on ACL permission failure. Clients connecting to the read-write socket with limited ACL
    permissions could use this flaw to acquire the lock and prevent other users from accessing storage
    pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability
    is to system availability. (CVE-2021-3667)

  - A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to
    acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no
    protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw
    allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to
    crash the network filter management daemon (libvirtd/virtnwfilterd). (CVE-2022-0897)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/202210-06");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=746119");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=799713");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=812317");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=836128");
  script_set_attribute(attribute:"solution", value:
"All libvirt users should upgrade to the latest version:

          # emerge --sync
          # emerge --ask --oneshot --verbose >=app-emulation/libvirt-8.2.0
        
All libvirt-python users should upgrade to the latest version:

          # emerge --sync
          # emerge --ask --oneshot --verbose >=dev-python/libvirt-python-8.2.0");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-25637");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-14339");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:libvirt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:libvirt-python");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gentoo Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var flag = 0;

var packages = [
  {
    'name' : "app-emulation/libvirt",
    'unaffected' : make_list("ge 8.2.0", "lt 8.0.0"),
    'vulnerable' : make_list("lt 8.2.0")
  },
  {
    'name' : "dev-python/libvirt-python",
    'unaffected' : make_list("ge 8.2.0", "lt 8.0.0"),
    'vulnerable' : make_list("lt 8.2.0")
  }
];

foreach package( packages ) {
  if (isnull(package['unaffected'])) package['unaffected'] = make_list();
  if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();
  if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;
}

# This plugin has a different number of unaffected and vulnerable versions for
# one or more packages. To ensure proper detection, a separate line should be 
# used for each fixed/vulnerable version pair.

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : qpkg_report_get()
  );
  exit(0);
}
else
{
  qpkg_tests = list_uniq(qpkg_tests);
  var tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt");
}
VendorProductVersionCPE
gentoolinuxlibvirtp-cpe:/a:gentoo:linux:libvirt
gentoolinuxlibvirt-pythonp-cpe:/a:gentoo:linux:libvirt-python
gentoolinuxcpe:/o:gentoo:linux

Related

gentoo 2
redos 2
nessus 61
osv 8
ubuntu 1
openvas 47
photon 2
suse 7
debian 2
githubexploit 1
rosalinux 2
veracode 6
redhatcve 5
cve 5
cbl_mariner 4
amazon 1
archlinux 2
redhat 5
alpinelinux 4
debiancve 5
prion 5
oraclelinux 7
ubuntucve 5
mageia 3
centos 1
fedora 2
almalinux 2
rocky 2
gentoo
gentoo
libvirt: Multiple Vulnerabilities
2022-10-16 00:00:00
libvirt: Unintended access to /dev/mapper/control
2021-01-26 00:00:00
redos
redos
ROS-20240329-20
2024-03-29 00:00:00
ROS-20240423-11
2024-04-23 00:00:00
nessus
nessus
Ubuntu 18.04 LTS / 20.04 LTS : libvirt vulnerabilities (USN-5399-1)
2022-05-02 00:00:00
EulerOS Virtualization 2.10.0 : libvirt (EulerOS-SA-2022-2045)
2022-07-15 00:00:00
EulerOS Virtualization 2.10.1 : libvirt (EulerOS-SA-2022-2073)
2022-07-15 00:00:00
osv
osv
libvirt vulnerabilities
2022-05-02 17:01:25
libvirt - security update
2024-04-01 00:00:00
CVE-2020-14339
2020-12-03 17:15:12
ubuntu
ubuntu
libvirt vulnerabilities
2022-05-02 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-5399-1)
2022-05-03 00:00:00
Huawei EulerOS: Security Advisory for libvirt (EulerOS-SA-2022-2073)
2022-07-14 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:2812-1)
2021-08-24 00:00:00
photon
photon
Moderate Photon OS Security Update - PHSA-2022-0424
2022-07-23 00:00:00
Moderate Photon OS Security Update - PHSA-2022-3.0-0424
2022-07-23 00:00:00
suse
suse
Security update for libvirt (moderate)
2021-08-23 00:00:00
Security update for libvirt (important)
2020-09-19 00:00:00
Security update for libvirt (moderate)
2021-11-05 00:00:00
debian
debian
[SECURITY] [DLA 3778-1] libvirt security update
2024-04-01 12:19:02
[SECURITY] [DLA 2395-1] libvirt security update
2020-10-02 15:06:32
githubexploit
githubexploit
Exploit for Double Free in Redhat Libvirt
2020-12-04 11:01:29
rosalinux
rosalinux
Advisory ROSA-SA-2021-1899
2021-07-02 17:20:52
Advisory ROSA-SA-2024-2355
2024-02-20 09:45:01
veracode
veracode
Privilege Escalation
2020-10-08 14:02:24
Information Disclosure
2020-08-18 08:23:06
Denial Of Service (DoS)
2022-03-04 07:05:25
redhatcve
redhatcve
CVE-2020-25637
2020-09-30 16:19:28
CVE-2020-14339
2020-07-23 18:37:41
CVE-2021-3667
2021-07-27 12:55:36
cve
cve
CVE-2020-25637
2020-10-06 14:15:00
CVE-2020-14339
2020-12-03 17:15:00
CVE-2021-3667
2022-03-02 23:15:00
cbl_mariner
cbl_mariner
CVE-2020-25637 affecting package libvirt 6.1.0-6
2020-11-30 19:30:44
CVE-2020-25637 affecting package libvirt 6.1.0-4
2022-04-09 06:51:57
CVE-2021-3667 affecting package libvirt 6.1.0-6
2022-04-07 06:04:02
amazon
amazon
Medium: libvirt
2020-12-08 21:30:00
archlinux
archlinux
[ASA-202101-42] libvirt: arbitrary code execution
2021-01-29 00:00:00
[ASA-202009-8] libvirt: privilege escalation
2020-09-22 00:00:00
redhat
redhat
(RHSA-2020:5040) Moderate: libvirt security and bug fix update
2020-11-10 09:43:42
(RHSA-2022:8003) Low: libvirt security, bug fix, and enhancement update
2022-11-15 06:13:06
(RHSA-2020:3586) Important: virt:8.2 and virt-devel:8.2 security and bug fix update
2020-09-01 09:21:04
alpinelinux
alpinelinux
CVE-2020-25637
2020-10-06 14:15:00
CVE-2020-14339
2020-12-03 17:15:00
CVE-2021-3667
2022-03-02 23:15:00
debiancve
debiancve
CVE-2020-25637
2020-10-06 14:15:00
CVE-2020-14339
2020-12-03 17:15:00
CVE-2021-3667
2022-03-02 23:15:00
prion
prion
Design/Logic Flaw
2020-12-03 17:15:00
Double free
2020-10-06 14:15:00
Design/Logic Flaw
2022-03-02 23:15:00
oraclelinux
oraclelinux
libvirt security and bug fix update
2020-11-11 00:00:00
virt:kvm_utils security update
2022-12-17 00:00:00
libvirt security update
2022-12-06 00:00:00
ubuntucve
ubuntucve
CVE-2020-25637
2020-10-06 00:00:00
CVE-2020-14339
2020-12-03 00:00:00
CVE-2021-3667
2022-03-02 00:00:00
mageia
mageia
Updated libvirt packages fix security vulnerability
2020-12-29 14:57:17
Updated libvirt packages fix security vulnerability
2021-12-11 01:19:07
Updated libvirt packages fix security vulnerability
2021-08-14 17:00:09
centos
centos
libvirt security update
2020-11-18 17:32:39
fedora
fedora
[SECURITY] Fedora 34 Update: libvirt-7.0.0-7.fc34
2021-09-30 01:14:16
[SECURITY] Fedora 34 Update: libvirt-7.0.0-6.fc34
2021-07-13 01:15:12
almalinux
almalinux
Low: libvirt security, bug fix, and enhancement update
2022-11-15 00:00:00
Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2021-11-09 08:35:34
rocky
rocky
libvirt security, bug fix, and enhancement update
2022-11-15 06:13:06
virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2021-11-09 08:35:34
JSON
Related for GENTOO_GLSA-202210-06.NASL
gentoo2redos2nessus61osv8ubuntu1openvas47photon2suse7debian2githubexploit1rosalinux2veracode6redhatcve5cve5cbl_mariner4amazon1archlinux2redhat5alpinelinux4debiancve5prion5oraclelinux7ubuntucve5mageia3centos1fedora2almalinux2rocky2