libvirt up to 1.2.10 virDomainGetXMLDesc VIR_DOMAIN_XML_MIGRATABLE Password credentials management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in libvirt up to 1.2.10 and classified as critical. The impacted element is the function virDomainGetXMLDesc. Such manipulation of the argument VIR_DOMAIN_XML_MIGRATABLE leads to credentials management (Password).
This vulnerability is referenced as CVE-2014-7823. No exploit is available.
It is suggested to upgrade the affected component.
Details
A vulnerability, which was classified as critical, has been found in libvirt up to 1.2.10 (Virtualization Software). Affected by this issue is the function virDomainGetXMLDesc. The manipulation of the argument VIR_DOMAIN_XML_MIGRATABLE with an unknown input leads to a credentials management vulnerability (Password). Using CWE to declare the problem leads to CWE-255. Impacted is confidentiality. CVE summarizes:
The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag.
The weakness was published 11/05/2014 by Eric Blake as confirmed advisory (Website). The advisory is shared for download at ubuntu.com. This vulnerability is handled as CVE-2014-7823 since 10/03/2014. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1552.
The vulnerability scanner Nessus provides a plugin with the ID 80387 (Oracle Linux 7 : libvirt (ELSA-2015-0008)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 195666 (Ubuntu Security Notification for Libvirt Vulnerabilities (USN-2404-1)).
Upgrading to version 1.2.11 eliminates this vulnerability. The advisory contains the following remark:
VNC passwords are notoriously weak (they are capped at an 8 byte maximum length; the VNC protocol sends them in plaintext over the network; and FIPS mode execution prohibits the use of a VNC password), so it is recommended that users not create domains with a VNC password in the first place. Domains that do not use VNC passwords do not suffer from information leaks; the use of SPICE connections is recommended not only because it avoids the leak, but also because SPICE provides better features than VNC for a guest graphics device. It is also possible to prevent the leak by denying access to read-only clients; for builds of libvirt that support fine-grained ACLs, this course of action requires ensuring that no user is granted the 'read' ACL privilege without also having the 'read_secure' privilege.
The vulnerability is also documented in the databases at X-Force (98807), Tenable (80387), SecurityFocus (BID 71095†), Secunia (SA62303†) and Vulnerability Center (SBV-47194†). Similar entry is available at VDB-67721. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 4.6
VulDB Base Score: 5.3
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: PasswordClass: Credentials management / Password
CWE: CWE-255
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 80387
Nessus Name: Oracle Linux 7 : libvirt (ELSA-2015-0008)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 871165
OpenVAS Name: RedHat Update for libvirt RHSA-2014:1873-01
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: libvirt 1.2.11
Timeline
10/03/2014 🔍11/05/2014 🔍
11/05/2014 🔍
11/05/2014 🔍
11/12/2014 🔍
11/13/2014 🔍
11/20/2014 🔍
11/20/2014 🔍
01/06/2015 🔍
02/25/2022 🔍
Sources
Advisory: RHSA-2015:0008Researcher: Eric Blake
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-7823 (🔍)
GCVE (CVE): GCVE-0-2014-7823
GCVE (VulDB): GCVE-100-68240
OVAL: 🔍
X-Force: 98807 - Libvirt virDomainGetXMLDesc information disclosure, Medium Risk
SecurityFocus: 71095 - libvirt CVE-2014-7823 Information Disclosure Vulnerability
Secunia: 62303 - Ubuntu update for libvirt, Not Critical
Vulnerability Center: 47194 - Libvirt before 1.2.11 Remote Information Disclosure via the VIR_DOMAIN_XML_MIGRATABLE, Medium
See also: 🔍
Entry
Created: 11/20/2014 10:13Updated: 02/25/2022 04:00
Changes: 11/20/2014 10:13 (87), 06/12/2017 08:35 (1), 02/25/2022 03:52 (3), 02/25/2022 04:00 (2)
Complete: 🔍
Cache ID: 216:2BA:103
No comments yet. Languages: en.
Please log in to comment.