Oracle Linux 7 : libvirt (ELSA-2015-0323)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2015:0323 and 
# Oracle Linux Security Advisory ELSA-2015-0323 respectively.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(81801);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");

  script_cve_id("CVE-2014-8136", "CVE-2015-0236");
  script_bugtraq_id(70186, 70210, 71095, 71780, 71782, 72526);
  script_xref(name:"RHSA", value:"2015:0323");

  script_name(english:"Oracle Linux 7 : libvirt (ELSA-2015-0323)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2015:0323 :

Updated libvirt packages that fix two security issues, several bugs,
and add various enhancements are now available for Red Hat Enterprise
Linux 7.

Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which
give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The libvirt library is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems.

It was found that QEMU's qemuDomainMigratePerform() and
qemuDomainMigrateFinish2() functions did not correctly perform a
domain unlock on a failed ACL check. A remote attacker able to
establish a connection to libvirtd could use this flaw to lock a
domain of a more privileged user, causing a denial of service.
(CVE-2014-8136)

It was discovered that the virDomainSnapshotGetXMLDesc() and
virDomainSaveImageGetXMLDesc() functions did not sufficiently limit
the usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs
were enabled. A remote attacker able to establish a connection to
libvirtd could use this flaw to obtain certain sensitive information
from the domain XML file. (CVE-2015-0236)

The CVE-2015-0236 issue was found by Luyao Huang of Red Hat.

Bug fixes :

* The libvirtd daemon previously attempted to search for SELinux
contexts even when SELinux was disabled on the host. Consequently,
libvirtd logged 'Unable to lookup SELinux process context' error
messages every time a client connected to libvirtd and SELinux was
disabled. libvirtd now verifies whether SELinux is enabled before
searching for SELinux contexts, and no longer logs the error messages
on a host with SELinux disabled. (BZ#1135155)

* The libvirt utility passed incomplete PCI addresses to QEMU.
Consequently, assigning a PCI device that had a PCI address with a
non-zero domain to a guest failed. Now, libvirt properly passes PCI
domain to QEMU when assigning PCI devices, which prevents the
described problem. (BZ#1127080)

* Because the virDomainSetMaxMemory API did not allow changing the
current memory in the LXC driver, the 'virsh setmaxmem' command failed
when attempting to set the maximum memory to be lower than the current
memory. Now, 'virsh setmaxmem' sets the current memory to the intended
value of the maximum memory, which avoids the mentioned problem.
(BZ#1091132)

* Attempting to start a non-existent domain caused network filters to
stay locked for read-only access. Because of this, subsequent attempts
to gain read-write access to network filters triggered a deadlock.
Network filters are now properly unlocked in the described scenario,
and the deadlock no longer occurs. (BZ#1088864)

* If a guest configuration had an active nwfilter using the DHCP
snooping feature and an attempt was made to terminate libvirtd before
the associated nwfilter rule snooped the guest IP address from DHCP
packets, libvirtd became unresponsive. This problem has been fixed by
setting a longer wait time for snooping the guest IP address.
(BZ#1075543)

Enhancements :

* A new 'migrate_host' option is now available in
/etc/libvirt/qemu.conf, which allows users to set a custom IP address
to be used for incoming migrations. (BZ#1087671)

* With this update, libvirt is able to create a compressed memory-only
crash dump of a QEMU domain. This type of crash dump is directly
readable by the GNU Debugger and requires significantly less hard disk
space than the standard crash dump. (BZ#1035158)

* Support for reporting the NUMA node distance of the host has been
added to libvirt. This enhances the current libvirt capabilities for
reporting NUMA topology of the host, and allows for easier
optimization of new domains. (BZ#1086331)

* The XML file of guest and host capabilities generated by the 'virsh
capabilities' command has been enhanced to list the following
information, where relevant: the interface speed and link status of
the host, the PCI Express (PCIe) details, the host's hardware support
for I/O virtualization, and a report on the huge memory pages.
(BZ#1076960, BZ#1076957, BZ#1076959, BZ#1076962)

These packages also include a number of other bug fixes and
enhancements. For additional details, see the 'Bugs Fixed' section
below."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2015-March/004883.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libvirt packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-config-network");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-config-nwfilter");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-interface");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-lxc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-network");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-nodedev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-nwfilter");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-qemu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-secret");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-daemon-lxc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-lock-sanlock");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvirt-login-shell");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/13");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

flag = 0;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-client-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-config-network-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-config-nwfilter-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-interface-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-lxc-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-network-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-nodedev-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-nwfilter-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-qemu-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-secret-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-kvm-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-daemon-lxc-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-devel-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-docs-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-lock-sanlock-1.2.8-16.0.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libvirt-login-shell-1.2.8-16.0.1.el7")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
  else security_note(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt / libvirt-client / libvirt-daemon / etc");
}