libvirt 1.2.0 Disk Swapping qemu/qemu_driver.c virDomainBlockStats race condition
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.8 | $0-$5k | 0.00 |
Summary
A vulnerability was found in libvirt 1.2.0. It has been declared as problematic. Affected is the function virDomainBlockStats of the file qemu/qemu_driver.c of the component Disk Swapping Handler. Such manipulation leads to race condition.
This vulnerability is referenced as CVE-2013-6458. Furthermore, an exploit is available.
It is recommended to upgrade the affected component.
Details
A vulnerability was found in libvirt 1.2.0 (Virtualization Software). It has been rated as problematic. Affected by this issue is the function virDomainBlockStats of the file qemu/qemu_driver.c of the component Disk Swapping Handler. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Impacted is availability. CVE summarizes:
Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command.
The weakness was published 01/07/2014 by Alex as qemu: Fix job usage in virDomainGetBlockIoTune as confirmed git commit (GIT Repository). The advisory is shared for download at libvirt.org. This vulnerability is handled as CVE-2013-6458 since 11/04/2013. The attack needs to be approached locally. Required for exploitation is a simple authentication. Technical details as well as a public exploit are known.
After immediately, there has been an exploit disclosed. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 72137 (Fedora 19 : libvirt-1.0.5.9-1.fc19 (2014-1090)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 123338 (Fedora Security Update for libvirt (FEDORA-2015-1883)).
Upgrading to version 1.2.1-rc1 eliminates this vulnerability. The upgrade is hosted for download at libvirt.org. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (90550), Tenable (72137), SecurityFocus (BID 64723†), OSVDB (101853†) and Secunia (SA56186†). Similar entries are available at VDB-11782, VDB-11995, VDB-11999 and VDB-12003. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 4.8
VulDB Base Score: 5.5
VulDB Temp Score: 4.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Race conditionCWE: CWE-362
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Access: Public
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 72137
Nessus Name: Fedora 19 : libvirt-1.0.5.9-1.fc19 (2014-1090)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 702846
OpenVAS Name: Debian Security Advisory DSA 2846-1 (libvirt - several vulnerabilities
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: libvirt 1.2.1-rc1
Timeline
11/04/2013 🔍12/13/2013 🔍
12/13/2013 🔍
01/07/2014 🔍
01/07/2014 🔍
01/07/2014 🔍
01/08/2014 🔍
01/10/2014 🔍
01/24/2014 🔍
01/27/2014 🔍
01/30/2014 🔍
06/04/2021 🔍
Sources
Advisory: qemu: Fix job usage in virDomainGetBlockIoTuneResearcher: Alex
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-6458 (🔍)
GCVE (CVE): GCVE-0-2013-6458
GCVE (VulDB): GCVE-100-11780
OVAL: 🔍
X-Force: 90550 - libvirt virDomainBlockStats() function denial of service, Medium Risk
SecurityFocus: 64723 - libvirt 'virDomainBlockStats()' Denial of Service Vulnerability
Secunia: 56186 - libvirt "virDomainBlockStats()" Denial of Service Vulnerability, Not Critical
OSVDB: 101853
Vulnerability Center: 43103 - Libvirt before 1.2.1 Remote DoS Vulnerability due to Race Condition in virDomainDetachDeviceFlags, Low
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 01/10/2014 09:22Updated: 06/04/2021 19:18
Changes: 01/10/2014 09:22 (88), 05/20/2017 10:11 (5), 06/04/2021 19:18 (3)
Complete: 🔍
Cache ID: 216:9D8:103
No comments yet. Languages: en.
Please log in to comment.