#VU45011 Resource management error in libvirt - CVE-2011-1486

Cybersecurity Help s.r.o.

Published: 2011-05-31 | Updated: 2020-08-11

Vulnerability identifier: #VU45011

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2011-1486

CWE-ID: CWE-399

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
libvirt
Universal components / Libraries / Libraries used by multiple products

Vendor: libvirt.org

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libvirt: 0.0.1 - 0.8.7

External links
https://libvirt.org/git/?p=libvirt.git;a=commit;h=f44bfb7fb978c9313ce050a1c4149bf04aa0a670
https://secunia.com/advisories/44459
https://securitytracker.com/id?1025477
https://support.avaya.com/css/P8/documents/100134583
https://www.debian.org/security/2011/dsa-2280
https://www.redhat.com/support/errata/RHSA-2011-0478.html
https://www.redhat.com/support/errata/RHSA-2011-0479.html
https://www.securityfocus.com/bid/47148
https://www.ubuntu.com/usn/USN-1152-1
https://bugzilla.redhat.com/show_bug.cgi?id=693391
https://www.redhat.com/archives/libvir-list/2011-March/msg01087.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for libvirt

Resource management error in libvirt