| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.5 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as problematic has been discovered in libvirt. Affected by this issue is some unknown functionality of the file proc/$PID/root. Executing a manipulation can lead to link following. This vulnerability is tracked as CVE-2013-6456. Moreover, an exploit is present. It is advisable to upgrade the affected component.
Details
A vulnerability classified as problematic was found in libvirt (Virtualization Software). This vulnerability affects an unknown functionality of the file proc/$PID/root. The manipulation with an unknown input leads to a link following vulnerability. The CWE definition for the vulnerability is CWE-59. The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. As an impact it is known to affect availability. CVE summarizes:
The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to "paths under /proc/$PID/root" and the virInitctlSetRunLevel function.
The weakness was disclosed 01/05/2014 by Eric Blake with Red Hat as Bug 1048627 (Website). The advisory is available at access.redhat.com. This vulnerability was named CVE-2013-6456 since 11/04/2013. The exploitation appears to be easy. The attack can only be done within the local network. The successful exploitation needs a single authentication. Technical details and also a public exploit are known.
It is possible to download the exploit at bugs.debian.org. It is declared as highly functional. The vulnerability scanner Nessus provides a plugin with the ID 75338 (openSUSE Security Update : libvirt (openSUSE-SU-2014:0593-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 123338 (Fedora Security Update for libvirt (FEDORA-2015-1883)).
Upgrading eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (91453), Tenable (75338), SecurityFocus (BID 65743†), OSVDB (101858†) and Secunia (SA56187†). Additional details are provided at bugzilla.redhat.com. The entries VDB-11780, VDB-11999, VDB-12679 and VDB-13182 are pretty similar. Once again VulDB remains the best source for vulnerability data.
Product
Type
Name
Version
- 1.0.1
- 1.0.2
- 1.0.3
- 1.0.4
- 1.0.5
- 1.0.5.1
- 1.0.5.2
- 1.0.5.3
- 1.0.5.4
- 1.0.5.5
- 1.0.5.6
- 1.0.6
- 1.1.0
- 1.1.1
- 1.1.2
- 1.1.3
- 1.1.4
- 1.2.0
- 1.2.1
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.7VulDB Meta Temp Score: 5.5
VulDB Base Score: 5.7
VulDB Temp Score: 5.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Link followingCWE: CWE-59
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Partially
Availability: 🔍
Access: Public
Status: Highly functional
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 75338
Nessus Name: openSUSE Security Update : libvirt (openSUSE-SU-2014:0593-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 867558
OpenVAS Name: Fedora Update for libvirt FEDORA-2014-2864
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
11/04/2013 🔍12/17/2013 🔍
12/17/2013 🔍
01/05/2014 🔍
01/10/2014 🔍
02/21/2014 🔍
04/15/2014 🔍
04/17/2014 🔍
06/13/2014 🔍
06/04/2021 🔍
Sources
Advisory: Bug 1048627Researcher: Eric Blake
Organization: Red Hat
Status: Not defined
Confirmation: 🔍
CVE: CVE-2013-6456 (🔍)
GCVE (CVE): GCVE-0-2013-6456
GCVE (VulDB): GCVE-100-11782
OVAL: 🔍
X-Force: 91453 - libvirt /dev/initctl and /dev symlink, Medium Risk
SecurityFocus: 65743 - libvirt Unsafe Paths Usage Symlink Multiple Security Vulnerabilities
Secunia: 56187 - libvirt LXC Devices Hotplug Handling Security Issues, Not Critical
OSVDB: 101858
Vulnerability Center: 44149 - libvirt 1.0.1 Through 1.2.1 Local File System Write Vulnerability on Multiple Containers, Low
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 01/10/2014 09:56Updated: 06/04/2021 19:26
Changes: 01/10/2014 09:56 (87), 05/25/2017 10:53 (4), 06/04/2021 19:26 (3)
Complete: 🔍
Cache ID: 216:9D0:103
No comments yet. Languages: en.
Please log in to comment.