CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
EPSS
Percentile
58.2%
It was found that QEMU’s qemuDomainMigratePerform() and qemuDomainMigrateFinish2() functions did not correctly perform a domain unlock on a failed ACL check. A remote attacker able to establish a connection to libvirtd could use this flaw to lock a domain of a more privileged user, causing a denial of service.
(CVE-2014-8136)
It was discovered that the virDomainSnapshotGetXMLDesc() and virDomainSaveImageGetXMLDesc() functions did not sufficiently limit the usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs were enabled. A remote attacker able to establish a connection to libvirtd could use this flaw to obtain certain sensitive information from the domain XML file. (CVE-2015-0236)
Bug fixes :
The libvirtd daemon previously attempted to search for SELinux contexts even when SELinux was disabled on the host. Consequently, libvirtd logged ‘Unable to lookup SELinux process context’ error messages every time a client connected to libvirtd and SELinux was disabled.
libvirtd now verifies whether SELinux is enabled before searching for SELinux contexts, and no longer logs the error messages on a host with SELinux disabled.
The libvirt utility passed incomplete PCI addresses to QEMU. Consequently, assigning a PCI device that had a PCI address with a non- zero domain to a guest failed.
Now, libvirt properly passes PCI domain to QEMU when assigning PCI devices, which prevents the described problem.
Because the virDomainSetMaxMemory API did not allow changing the current memory in the LXC driver, the ‘virsh setmaxmem’ command failed when attempting to set the maximum memory to be lower than the current memory.
Now, ‘virsh setmaxmem’ sets the current memory to the intended value of the maximum memory, which avoids the mentioned problem.
Attempting to start a non-existent domain caused network filters to stay locked for read-only access. Because of this, subsequent attempts to gain read-write access to network filters triggered a deadlock. Network filters are now properly unlocked in the described scenario, and the deadlock no longer occurs.
If a guest configuration had an active nwfilter using the DHCP snooping feature and an attempt was made to terminate libvirtd before the associated nwfilter rule snooped the guest IP address from DHCP packets, libvirtd became unresponsive. This problem has been fixed by setting a longer wait time for snooping the guest IP address.
Enhancements :
A new ‘migrate_host’ option is now available in /etc/libvirt/qemu.conf, which allows users to set a custom IP address to be used for incoming migrations.
With this update, libvirt is able to create a compressed memory-only crash dump of a QEMU domain. This type of crash dump is directly readable by the GNU Debugger and requires significantly less hard disk space than the standard crash dump.
Support for reporting the NUMA node distance of the host has been added to libvirt. This enhances the current libvirt capabilities for reporting NUMA topology of the host, and allows for easier optimization of new domains.
The XML file of guest and host capabilities generated by the ‘virsh capabilities’ command has been enhanced to list the following information, where relevant: the interface speed and link status of the host, the PCI Express (PCIe) details, the host’s hardware support for I/O virtualization, and a report on the huge memory pages.
These packages also include a number of other bug fixes and enhancements.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(82257);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2014-8136", "CVE-2015-0236");
script_name(english:"Scientific Linux Security Update : libvirt on SL7.x x86_64 (20150305)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Scientific Linux host is missing one or more security
updates."
);
script_set_attribute(
attribute:"description",
value:
"It was found that QEMU's qemuDomainMigratePerform() and
qemuDomainMigrateFinish2() functions did not correctly perform a
domain unlock on a failed ACL check. A remote attacker able to
establish a connection to libvirtd could use this flaw to lock a
domain of a more privileged user, causing a denial of service.
(CVE-2014-8136)
It was discovered that the virDomainSnapshotGetXMLDesc() and
virDomainSaveImageGetXMLDesc() functions did not sufficiently limit
the usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs
were enabled. A remote attacker able to establish a connection to
libvirtd could use this flaw to obtain certain sensitive information
from the domain XML file. (CVE-2015-0236)
Bug fixes :
- The libvirtd daemon previously attempted to search for
SELinux contexts even when SELinux was disabled on the
host. Consequently, libvirtd logged 'Unable to lookup
SELinux process context' error messages every time a
client connected to libvirtd and SELinux was disabled.
libvirtd now verifies whether SELinux is enabled before
searching for SELinux contexts, and no longer logs the
error messages on a host with SELinux disabled.
- The libvirt utility passed incomplete PCI addresses to
QEMU. Consequently, assigning a PCI device that had a
PCI address with a non- zero domain to a guest failed.
Now, libvirt properly passes PCI domain to QEMU when
assigning PCI devices, which prevents the described
problem.
- Because the virDomainSetMaxMemory API did not allow
changing the current memory in the LXC driver, the
'virsh setmaxmem' command failed when attempting to set
the maximum memory to be lower than the current memory.
Now, 'virsh setmaxmem' sets the current memory to the
intended value of the maximum memory, which avoids the
mentioned problem.
- Attempting to start a non-existent domain caused network
filters to stay locked for read-only access. Because of
this, subsequent attempts to gain read-write access to
network filters triggered a deadlock. Network filters
are now properly unlocked in the described scenario, and
the deadlock no longer occurs.
- If a guest configuration had an active nwfilter using
the DHCP snooping feature and an attempt was made to
terminate libvirtd before the associated nwfilter rule
snooped the guest IP address from DHCP packets, libvirtd
became unresponsive. This problem has been fixed by
setting a longer wait time for snooping the guest IP
address.
Enhancements :
- A new 'migrate_host' option is now available in
/etc/libvirt/qemu.conf, which allows users to set a
custom IP address to be used for incoming migrations.
- With this update, libvirt is able to create a compressed
memory-only crash dump of a QEMU domain. This type of
crash dump is directly readable by the GNU Debugger and
requires significantly less hard disk space than the
standard crash dump.
- Support for reporting the NUMA node distance of the host
has been added to libvirt. This enhances the current
libvirt capabilities for reporting NUMA topology of the
host, and allows for easier optimization of new domains.
- The XML file of guest and host capabilities generated by
the 'virsh capabilities' command has been enhanced to
list the following information, where relevant: the
interface speed and link status of the host, the PCI
Express (PCIe) details, the host's hardware support for
I/O virtualization, and a report on the huge memory
pages.
These packages also include a number of other bug fixes and
enhancements."
);
# https://listserv.fnal.gov/scripts/wa.exe?A2=ind1503&L=scientific-linux-errata&T=0&P=2290
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?7bb1933c"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-client");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-config-network");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-config-nwfilter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-interface");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-lxc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-network");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-nodedev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-nwfilter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-secret");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-storage");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-lxc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-lock-sanlock");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libvirt-login-shell");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/19");
script_set_attribute(attribute:"patch_publication_date", value:"2015/03/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Scientific Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
flag = 0;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-client-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-config-network-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-config-nwfilter-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-interface-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-lxc-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-network-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-nodedev-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-nwfilter-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-qemu-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-secret-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-driver-storage-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-kvm-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-daemon-lxc-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-debuginfo-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-devel-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-docs-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-lock-sanlock-1.2.8-16.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libvirt-login-shell-1.2.8-16.el7")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvirt / libvirt-client / libvirt-daemon / etc");
}
Vendor | Product | Version | CPE |
---|---|---|---|
fermilab | scientific_linux | libvirt-daemon-driver-nodedev | p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-nodedev |
fermilab | scientific_linux | libvirt-daemon-driver-nwfilter | p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-nwfilter |
fermilab | scientific_linux | libvirt-daemon-driver-qemu | p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-qemu |
fermilab | scientific_linux | libvirt-daemon-driver-secret | p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-secret |
fermilab | scientific_linux | libvirt-daemon-driver-storage | p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-driver-storage |
fermilab | scientific_linux | libvirt-daemon-kvm | p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-kvm |
fermilab | scientific_linux | libvirt-daemon-lxc | p-cpe:/a:fermilab:scientific_linux:libvirt-daemon-lxc |
fermilab | scientific_linux | libvirt-debuginfo | p-cpe:/a:fermilab:scientific_linux:libvirt-debuginfo |
fermilab | scientific_linux | libvirt-devel | p-cpe:/a:fermilab:scientific_linux:libvirt-devel |
fermilab | scientific_linux | libvirt-docs | p-cpe:/a:fermilab:scientific_linux:libvirt-docs |