Permissions, Privileges, and Access Controls in libvirt



| Updated: 2020-08-10
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2013-6457
CWE-ID CWE-264
Exploitation vector Local network
Public exploit N/A
Vulnerable software
 libvirt
Universal components / Libraries / Libraries used by multiple products

Vendor libvirt.org

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU42110

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-6457

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote #AU# to read and manipulate data.

The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free operation and crash) or possibly execute arbitrary code via an inactive domain to the virsh numatune command.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libvirt: 0.0.1 - 1.1.4

CPE2.3 External links

https://libvirt.org/news.html
https://lists.opensuse.org/opensuse-updates/2014-02/msg00060.html
https://secunia.com/advisories/60895
https://security.gentoo.org/glsa/glsa-201412-04.xml
https://www.ubuntu.com/usn/USN-2093-1
https://bugzilla.redhat.com/show_bug.cgi?id=1048629
https://www.redhat.com/archives/libvir-list/2013-December/msg01176.html
https://www.redhat.com/archives/libvir-list/2013-December/msg01258.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###