libvirt up to 1.2.3 XML Entity Expansion virConnectCompareCPU/virConnectBaselineCPU XML_PARSE_NOENT input validation

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
4.6$0-$5k0.00

Summaryinfo

A vulnerability categorized as problematic has been discovered in libvirt up to 1.2.3. This issue affects the function virConnectCompareCPU/virConnectBaselineCPU of the component XML Entity Expansion Handler. The manipulation of the argument XML_PARSE_NOENT results in input validation. This vulnerability is reported as CVE-2014-0179. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in libvirt up to 1.2.3 (Virtualization Software). It has been classified as problematic. Affected is the function virConnectCompareCPU/virConnectBaselineCPU of the component XML Entity Expansion Handler. The manipulation of the argument XML_PARSE_NOENT with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on availability.

The issue has been introduced in 12/23/2009. The weakness was disclosed 05/06/2014 by Daniel P. Berrange and Richard Jones with Red Hat as LSN-2014-0003 as confirmed posting (Mailing List). The advisory is available at redhat.com. The public release has been coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2014-0179 since 12/03/2013. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit. The advisory points out:

When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag to libxml2 which instructs it to expand all entities in the XML document during parsing. This can be used to insert the contents of host OS files in the resulting parsed content. Although the flaw was introduced in 0.0.5, it was dormant having no ill effects, since the APIs involved all required the user to authenticate with privileges equivalent to root. In version 0.7.5 or later the virConnectCompareCPU / virConnectBaselineCPU methods activate the dormant bug, allowing for denial of service. In version 1.0.0 or later, if the admin opts in to using the new fine grained access control feature, there is potential for unprivileged information disclosure.

The vulnerability was handled as a non-public zero-day exploit for at least 1595 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 74175 (Fedora 20 : libvirt-1.1.3.5-2.fc20 (2014-6586)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 123338 (Fedora Security Update for libvirt (FEDORA-2015-1883)).

Upgrading to version 1.2.4 eliminates this vulnerability. The upgrade is hosted for download at libvirt.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The posting contains the following remark:

Stop use of the fine grained access control mechanism, and restrict access to all the libvirt TCP/UNIX sockets to only trusted authenticated users. Simply denying access to the affected APIs in the access control policy is insufficient to mitigate the bug, since the XML document typically needs to be parsed before the access control check is applied in order to extra the UUID/name of the object to check. Access to the readonly libvirt socket must also be revoked

The vulnerability is also documented in the databases at X-Force (93016), Tenable (74175), SecurityFocus (BID 67289†), OSVDB (106723†) and Secunia (SA58449†). Further details are available at redhat.com. The entries VDB-11780, VDB-11782, VDB-11995 and VDB-11999 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Not Affected

  • libvirt up to 0.7.4

Productinfo

Type

Name

Version

License

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 5.3
VulDB Meta Temp Score: 4.6

VulDB Base Score: 5.3
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Input validation
CWE: CWE-20
CAPEC: 🔍
ATT&CK: 🔍

Physical: Partially
Local: Yes
Remote: Yes

Availability: 🔍
Status: Unproven

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 74175
Nessus Name: Fedora 20 : libvirt-1.1.3.5-2.fc20 (2014-6586)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍

OpenVAS ID: 703038
OpenVAS Name: Debian Security Advisory DSA 3038-1 (libvirt - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍

Upgrade: libvirt 1.2.4

Timelineinfo

12/23/2009 🔍
12/03/2013 +1441 days 🔍
04/11/2014 +129 days 🔍
05/06/2014 +25 days 🔍
05/06/2014 +0 days 🔍
05/06/2014 +0 days 🔍
05/08/2014 +2 days 🔍
05/08/2014 +0 days 🔍
05/09/2014 +1 days 🔍
05/26/2014 +17 days 🔍
06/09/2014 +14 days 🔍
08/03/2014 +55 days 🔍
06/19/2021 +2512 days 🔍

Sourcesinfo

Advisory: LSN-2014-0003
Researcher: Daniel P. Berrange, Richard Jones
Organization: Red Hat
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍

CVE: CVE-2014-0179 (🔍)
GCVE (CVE): GCVE-0-2014-0179
GCVE (VulDB): GCVE-100-13182

OVAL: 🔍

X-Force: 93016 - libvirt XXE information disclosure, Medium Risk
SecurityFocus: 67289 - libvirt XML Entity Expansion CVE-2014-0179 Information Disclosure Vulnerability
Secunia: 58449 - libvirt XML Entity Expansion Information Disclosure and Denial of Service Vulnerability, Less Critical
OSVDB: 106723
Vulnerability Center: 44843 - Libvirt Multiple Versions Local Code Execution DoS or Information Disclosure via XML Document Parsing, Medium

Misc.: 🔍
See also: 🔍

Entryinfo

Created: 05/09/2014 14:16
Updated: 06/19/2021 12:59
Changes: 05/09/2014 14:16 (91), 05/30/2017 10:59 (9), 06/19/2021 12:51 (3), 06/19/2021 12:59 (1)
Complete: 🔍
Cache ID: 216:9D8:103

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!