Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-5399-1.NASL
HistoryMay 02, 2022 - 12:00 a.m.

Ubuntu 18.04 LTS / 20.04 LTS : libvirt vulnerabilities (USN-5399-1)

2022-05-0200:00:00
Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
16
JSON

The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5399-1 advisory.

  • A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25637)

  • A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs’ dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
    (CVE-2021-3631)

  • An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. (CVE-2021-3667)

  • A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition. (CVE-2021-4147)

  • A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt’s API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd). (CVE-2022-0897)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5399-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(160444);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/16");

  script_cve_id(
    "CVE-2020-25637",
    "CVE-2021-3631",
    "CVE-2021-3667",
    "CVE-2021-3975",
    "CVE-2021-4147",
    "CVE-2022-0897"
  );
  script_xref(name:"USN", value:"5399-1");

  script_name(english:"Ubuntu 18.04 LTS / 20.04 LTS : libvirt vulnerabilities (USN-5399-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.10 host has packages installed that are affected by multiple
vulnerabilities as referenced in the USN-5399-1 advisory.

  - A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible
    for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit
    access control driver. Specifically, clients connecting to the read-write socket with limited ACL
    permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or
    potentially escalate their privileges on the system. The highest threat from this vulnerability is to data
    confidentiality and integrity as well as system availability. (CVE-2020-25637)

  - A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This
    flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out
    of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
    (CVE-2021-3631)

  - An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in
    the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly
    released on ACL permission failure. Clients connecting to the read-write socket with limited ACL
    permissions could use this flaw to acquire the lock and prevent other users from accessing storage
    pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability
    is to system availability. (CVE-2021-3667)

  - A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause
    libvirtd on the host to deadlock or crash, resulting in a denial of service condition. (CVE-2021-4147)

  - A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to
    acquire the `driver->nwfilters` mutex before iterating over virNWFilterObj instances. There was no
    protection to stop another thread from concurrently modifying the `driver->nwfilters` object. This flaw
    allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to
    crash the network filter management daemon (libvirtd/virtnwfilterd). (CVE-2022-0897)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5399-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-25637");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnss-libvirt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-bin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-clients");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-lxc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-qemu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-storage-gluster");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-storage-rbd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-storage-sheepdog");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-storage-zfs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-vbox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-system");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-system-systemd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-system-sysv");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-sanlock");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt-wireshark");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvirt0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release || '20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '18.04', 'pkgname': 'libnss-libvirt', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-bin', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-clients', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-daemon', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-daemon-driver-storage-gluster', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-daemon-driver-storage-rbd', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-daemon-driver-storage-sheepdog', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-daemon-driver-storage-zfs', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-daemon-system', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-dev', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-sanlock', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt-wireshark', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '18.04', 'pkgname': 'libvirt0', 'pkgver': '4.0.0-1ubuntu8.21'},
    {'osver': '20.04', 'pkgname': 'libnss-libvirt', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-clients', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-driver-lxc', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-driver-qemu', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-driver-storage-gluster', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-driver-storage-rbd', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-driver-storage-zfs', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-driver-vbox', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-driver-xen', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-system', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-system-systemd', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-daemon-system-sysv', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-dev', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-sanlock', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt-wireshark', 'pkgver': '6.0.0-0ubuntu8.16'},
    {'osver': '20.04', 'pkgname': 'libvirt0', 'pkgver': '6.0.0-0ubuntu8.16'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libnss-libvirt / libvirt-bin / libvirt-clients / libvirt-daemon / etc');
}
VendorProductVersionCPE
canonicalubuntu_linux18.04cpe:/o:canonical:ubuntu_linux:18.04:-:lts
canonicalubuntu_linux20.04cpe:/o:canonical:ubuntu_linux:20.04:-:lts
canonicalubuntu_linuxlibnss-libvirtp-cpe:/a:canonical:ubuntu_linux:libnss-libvirt
canonicalubuntu_linuxlibvirt-binp-cpe:/a:canonical:ubuntu_linux:libvirt-bin
canonicalubuntu_linuxlibvirt-clientsp-cpe:/a:canonical:ubuntu_linux:libvirt-clients
canonicalubuntu_linuxlibvirt-daemonp-cpe:/a:canonical:ubuntu_linux:libvirt-daemon
canonicalubuntu_linuxlibvirt-daemon-driver-lxcp-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-lxc
canonicalubuntu_linuxlibvirt-daemon-driver-qemup-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-qemu
canonicalubuntu_linuxlibvirt-daemon-driver-storage-glusterp-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-storage-gluster
canonicalubuntu_linuxlibvirt-daemon-driver-storage-rbdp-cpe:/a:canonical:ubuntu_linux:libvirt-daemon-driver-storage-rbd
Rows per page:
1-10 of 211

Related

osv 5
openvas 52
ubuntu 1
gentoo 1
nessus 60
redos 3
debian 2
suse 7
photon 2
githubexploit 1
rosalinux 1
veracode 7
cve 6
amazon 1
cbl_mariner 5
redhatcve 6
alpinelinux 3
debiancve 6
archlinux 1
redhat 2
oraclelinux 7
prion 6
mageia 3
centos 1
ubuntucve 6
fedora 2
almalinux 1
rocky 1
osv
osv
libvirt vulnerabilities
2022-05-02 17:01:25
libvirt - security update
2024-04-01 00:00:00
libvirt - security update
2020-10-02 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-5399-1)
2022-05-03 00:00:00
Debian: Security Advisory (DLA-3778-1)
2024-04-02 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:0128-1)
2022-01-20 00:00:00
ubuntu
ubuntu
libvirt vulnerabilities
2022-05-02 00:00:00
gentoo
gentoo
libvirt: Multiple Vulnerabilities
2022-10-16 00:00:00
nessus
nessus
GLSA-202210-06 : libvirt: Multiple Vulnerabilities
2022-10-16 00:00:00
Debian dla-3778 : libnss-libvirt - security update
2024-04-01 00:00:00
EulerOS Virtualization 2.10.0 : libvirt (EulerOS-SA-2022-2045)
2022-07-15 00:00:00
redos
redos
ROS-20240329-20
2024-03-29 00:00:00
ROS-20240423-11
2024-04-23 00:00:00
ROS-20240410-03
2024-04-10 00:00:00
debian
debian
[SECURITY] [DLA 3778-1] libvirt security update
2024-04-01 12:19:02
[SECURITY] [DLA 2395-1] libvirt security update
2020-10-02 15:06:32
suse
suse
Security update for libvirt (moderate)
2021-08-23 00:00:00
Security update for libvirt (moderate)
2021-11-05 00:00:00
Security update for libvirt (moderate)
2021-08-10 00:00:00
photon
photon
Moderate Photon OS Security Update - PHSA-2022-0424
2022-07-23 00:00:00
Moderate Photon OS Security Update - PHSA-2022-3.0-0424
2022-07-23 00:00:00
githubexploit
githubexploit
Exploit for Double Free in Redhat Libvirt
2020-12-04 11:01:29
rosalinux
rosalinux
Advisory ROSA-SA-2021-1899
2021-07-02 17:20:52
veracode
veracode
Privilege Escalation
2020-10-08 14:02:24
Denial Of Service (DoS)
2022-03-04 07:05:25
Denial Of Service (DoS)
2021-12-30 13:26:51
cve
cve
CVE-2020-25637
2020-10-06 14:15:00
CVE-2021-3975
2022-08-23 20:15:00
CVE-2021-3667
2022-03-02 23:15:00
amazon
amazon
Medium: libvirt
2020-12-08 21:30:00
cbl_mariner
cbl_mariner
CVE-2020-25637 affecting package libvirt 6.1.0-6
2020-11-30 19:30:44
CVE-2020-25637 affecting package libvirt 6.1.0-4
2022-04-09 06:51:57
CVE-2021-3975 affecting package libvirt 6.1.0-5
2022-10-13 00:40:13
redhatcve
redhatcve
CVE-2020-25637
2020-09-30 16:19:28
CVE-2021-3975
2021-11-18 11:56:31
CVE-2021-3667
2021-07-27 12:55:36
alpinelinux
alpinelinux
CVE-2020-25637
2020-10-06 14:15:00
CVE-2021-3667
2022-03-02 23:15:00
CVE-2021-3631
2022-03-02 23:15:00
debiancve
debiancve
CVE-2020-25637
2020-10-06 14:15:00
CVE-2021-3975
2022-08-23 20:15:00
CVE-2021-3667
2022-03-02 23:15:00
archlinux
archlinux
[ASA-202101-42] libvirt: arbitrary code execution
2021-01-29 00:00:00
redhat
redhat
(RHSA-2020:5040) Moderate: libvirt security and bug fix update
2020-11-10 09:43:42
(RHSA-2022:8003) Low: libvirt security, bug fix, and enhancement update
2022-11-15 06:13:06
oraclelinux
oraclelinux
libvirt security and bug fix update
2020-11-11 00:00:00
libvirt libvirt-python security update
2022-08-01 00:00:00
virt:kvm_utils security update
2022-12-17 00:00:00
prion
prion
Double free
2020-10-06 14:15:00
Design/Logic Flaw
2022-08-23 20:15:00
Design/Logic Flaw
2022-03-02 23:15:00
mageia
mageia
Updated libvirt packages fix security vulnerability
2020-12-29 14:57:17
Updated libvirt packages fix security vulnerability
2021-12-11 01:19:07
Updated libvirt packages fix security vulnerability
2021-08-14 17:00:09
centos
centos
libvirt security update
2020-11-18 17:32:39
ubuntucve
ubuntucve
CVE-2020-25637
2020-10-06 00:00:00
CVE-2021-3975
2021-11-24 00:00:00
CVE-2021-3667
2022-03-02 00:00:00
fedora
fedora
[SECURITY] Fedora 34 Update: libvirt-7.0.0-7.fc34
2021-09-30 01:14:16
[SECURITY] Fedora 34 Update: libvirt-7.0.0-6.fc34
2021-07-13 01:15:12
almalinux
almalinux
Low: libvirt security, bug fix, and enhancement update
2022-11-15 00:00:00
rocky
rocky
libvirt security, bug fix, and enhancement update
2022-11-15 06:13:06
JSON
Related for UBUNTU_USN-5399-1.NASL
osv5openvas52ubuntu1gentoo1nessus60redos3debian2suse7photon2githubexploit1rosalinux1veracode7cve6amazon1cbl_mariner5redhatcve6alpinelinux3debiancve6archlinux1redhat2oraclelinux7prion6mageia3centos1ubuntucve6fedora2almalinux1rocky1