libvirt up to 1.2.10 virDomainGetXMLDesc VIR_DOMAIN_XML_MIGRATABLE Password credentials management

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
4.6$0-$5k0.00

A vulnerability, which was classified as critical, has been found in libvirt up to 1.2.10 (Virtualization Software). Affected by this issue is the function virDomainGetXMLDesc. The manipulation of the argument VIR_DOMAIN_XML_MIGRATABLE with an unknown input leads to a credentials management vulnerability (Password). Using CWE to declare the problem leads to CWE-255. Impacted is confidentiality. CVE summarizes:

The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag.

The weakness was published 11/05/2014 by Eric Blake as confirmed advisory (Website). The advisory is shared for download at ubuntu.com. This vulnerability is handled as CVE-2014-7823 since 10/03/2014. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1552.

The vulnerability scanner Nessus provides a plugin with the ID 80387 (Oracle Linux 7 : libvirt (ELSA-2015-0008)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 195666 (Ubuntu Security Notification for Libvirt Vulnerabilities (USN-2404-1)).

Upgrading to version 1.2.11 eliminates this vulnerability. The advisory contains the following remark:

VNC passwords are notoriously weak (they are capped at an 8 byte maximum length; the VNC protocol sends them in plaintext over the network; and FIPS mode execution prohibits the use of a VNC password), so it is recommended that users not create domains with a VNC password in the first place. Domains that do not use VNC passwords do not suffer from information leaks; the use of SPICE connections is recommended not only because it avoids the leak, but also because SPICE provides better features than VNC for a guest graphics device. It is also possible to prevent the leak by denying access to read-only clients; for builds of libvirt that support fine-grained ACLs, this course of action requires ensuring that no user is granted the 'read' ACL privilege without also having the 'read_secure' privilege.

The vulnerability is also documented in the databases at X-Force (98807) and Tenable (80387). Similar entry is available at 67721.

Productinfo

Type

Name

Version

License

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB CVSS-B Score: 🔍
VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 5.3
VulDB Meta Temp Score: 4.6

VulDB Base Score: 5.3
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Name: Password
Class: Credentials management / Password
CWE: CWE-255
ATT&CK: T1552

Local: No
Remote: Yes

Availability: 🔍
Status: Unproven

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-Dayunlockunlockunlockunlock
Todayunlockunlockunlockunlock

Nessus ID: 80387
Nessus Name: Oracle Linux 7 : libvirt (ELSA-2015-0008)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍

OpenVAS ID: 871165
OpenVAS Name: RedHat Update for libvirt RHSA-2014:1873-01
OpenVAS File: 🔍
OpenVAS Family: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔍

Upgrade: libvirt 1.2.11

Timelineinfo

10/03/2014 🔍
11/05/2014 +33 days 🔍
11/05/2014 +0 days 🔍
11/05/2014 +0 days 🔍
11/12/2014 +7 days 🔍
11/13/2014 +1 days 🔍
11/20/2014 +7 days 🔍
11/20/2014 +0 days 🔍
01/06/2015 +47 days 🔍
02/25/2022 +2607 days 🔍

Sourcesinfo

Advisory: RHSA-2015:0008
Researcher: Eric Blake
Status: Confirmed
Confirmation: 🔍

CVE: CVE-2014-7823 (🔍)
OVAL: 🔍

X-Force: 98807 - Libvirt virDomainGetXMLDesc information disclosure, Medium Risk
Vulnerability Center: 47194 - Libvirt before 1.2.11 Remote Information Disclosure via the VIR_DOMAIN_XML_MIGRATABLE, Medium
SecurityFocus: 71095 - libvirt CVE-2014-7823 Information Disclosure Vulnerability
Secunia: 62303 - Ubuntu update for libvirt, Not Critical

See also: 🔍

Entryinfo

Created: 11/20/2014 10:13
Updated: 02/25/2022 04:00
Changes: 11/20/2014 10:13 (87), 06/12/2017 08:35 (1), 02/25/2022 03:52 (3), 02/25/2022 04:00 (2)
Complete: 🔍

Discussion

No comments yet. Languages: en.

Please log in to comment.

Do you want to use VulDB in your project?

Use the official API to access entries easily!