libvirt up to 1.1.2 qemu/qemu_migration.c qemuMonitorGetSpiceMigrationStatus null pointer dereference
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.6 | $0-$5k | 0.00 |
Summary
A vulnerability identified as problematic has been detected in libvirt. The impacted element is the function qemuMonitorGetSpiceMigrationStatus of the file qemu/qemu_migration.c. This manipulation causes null pointer dereference.
The identification of this vulnerability is CVE-2013-7336. There is no exploit available.
It is recommended to apply a patch to fix this issue.
Details
A vulnerability was found in libvirt (Virtualization Software). It has been declared as problematic. Affected by this vulnerability is the function qemuMonitorGetSpiceMigrationStatus of the file qemu/qemu_migration.c. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. The summary by CVE is:
The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not properly enter a monitor when performing seamless SPICE migration, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) by causing domblkstat to be called at the same time as the qemuMonitorGetSpiceMigrationStatus function.
The weakness was shared 03/19/2014 by Marian Krcmarik with Red Hat as qemu: Fix seamless SPICE migration as confirmed git commit (GIT Repository). It is possible to read the advisory at libvirt.org. This vulnerability is known as CVE-2013-7336 since 03/18/2014. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit. The advisory points out:
An unprivileged user able to issue commands to running libvirtd could use this flaw to crash libvirtd and prevent more privileged clients from working correctly.
The vulnerability scanner Nessus provides a plugin with the ID 73940 (Ubuntu 13.10 : libvirt vulnerabilities (USN-2209-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Ubuntu Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 166965 (OpenSuSE Security Update for libvirt (openSUSE-SU-2014:0593-1)).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at libvirt.org. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (91957), Tenable (73940), SecurityFocus (BID 66304†), Secunia (SA56187†) and SecurityTracker (ID 1030213†). Additional details are provided at seclists.org. The entry VDB-11782 is related to this item. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 4.6
VulDB Base Score: 5.3
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Null pointer dereferenceCWE: CWE-476 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 73940
Nessus Name: Ubuntu 13.10 : libvirt vulnerabilities (USN-2209-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 841804
OpenVAS Name: Ubuntu Update for libvirt USN-2209-1
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: libvirt.org
Timeline
09/20/2013 🔍02/21/2014 🔍
03/18/2014 🔍
03/19/2014 🔍
03/19/2014 🔍
03/19/2014 🔍
03/24/2014 🔍
05/07/2014 🔍
05/08/2014 🔍
06/16/2014 🔍
06/16/2021 🔍
Sources
Advisory: qemu: Fix seamless SPICE migrationResearcher: Marian Krcmarik
Organization: Red Hat
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-7336 (🔍)
GCVE (CVE): GCVE-0-2013-7336
GCVE (VulDB): GCVE-100-12679
OVAL: 🔍
X-Force: 91957 - libvirt qemuMonitorGetSpiceMigrationStatus() denial of service, Medium Risk
SecurityFocus: 66304 - libvirt CVE-2013-7336 Denial of Service Vulnerability
Secunia: 56187 - libvirt LXC Devices Hotplug Handling Security Issues, Not Critical
SecurityTracker: 1030213 - libvirt Null Pointer Dereference in qemuMigrationWaitForSpice() Lets Local Users Deny Service
Vulnerability Center: 44998 - Libvirt before 1.1.3 Local DoS Vulnerability in QemuMigrationWaitForSpice, Low
Misc.: 🔍
See also: 🔍
Entry
Created: 03/24/2014 10:57Updated: 06/16/2021 08:44
Changes: 03/24/2014 10:57 (84), 05/31/2017 08:45 (8), 06/16/2021 08:44 (3)
Complete: 🔍
Cache ID: 216:734:103
No comments yet. Languages: en.
Please log in to comment.