CVE-2015-5160 – libvirt: Ceph id/key leaked in the process list
https://notcve.org/view.php?id=CVE-2015-5160
libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing. libvirt en versiones anteriores a la 2.2 incluye las credenciales de Ceph en la línea de comandos qemu cuando se utiliza RADOS Block Device (también conocido como RBD), lo que permite a los usuarios locales obtener información sensible mediante un listado de procesos. It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. • http://rhn.redhat.com/errata/RHSA-2016-2577.html http://www.openwall.com/lists/oss-security/2017/07/21/3 https://bugs.launchpad.net/ossn/+bug/1686743 https://bugzilla.redhat.com/show_bug.cgi?id=1245647 https://wiki.openstack.org/wiki/OSSN/OSSN-0079 https://access.redhat.com/security/cve/CVE-2015-5160 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-3657 – libvirt: domain_conf: domain deadlock DoS
https://notcve.org/view.php?id=CVE-2014-3657
The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9 does not clean up the lock on the list of domains, which allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command. La función virDomainListPopulate en conf/domain_conf.c en libvirt anterior a 1.2.9 no limpia el bloqueo en la lista de dominios, lo que permite a atacantes remotos causar una denegación de servicio (bloqueo mutuo) a través de un valor nulo en el parámetro second en el comando de API virConnectListAllDomains. A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. • http://libvirt.org/git/?p=libvirt.git%3Ba=commitdiff%3Bh=fc22b2e74890873848b43fffae43025d22053669 http://lists.opensuse.org/opensuse-updates/2014-10/msg00014.html http://lists.opensuse.org/opensuse-updates/2014-10/msg00017.html http://rhn.redhat.com/errata/RHSA-2014-1352.html http://secunia.com/advisories/60291 http://secunia.com/advisories/62303 http://security.libvirt.org/2014/0005.html http://www.ubuntu.com/usn/USN-2404-1 https://access.redhat.com/security/cve/CVE-2014-3657 https • CWE-20: Improper Input Validation CWE-399: Resource Management Errors •
CVE-2014-3633 – libvirt: qemu: out-of-bounds read access in qemuDomainGetBlockIoTune() due to invalid index
https://notcve.org/view.php?id=CVE-2014-3633
The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read. La función qemuDomainGetBlockIoTune en qemu/qemu_driver.c en libvirt anterior a 1.2.9, cuando un disco ha sido conectado en caliente o eliminado de la imagen en vivo, permite a atacantes remotos causar una denegación de servicio (caída) o leer información sensible de la memoria dinámica a través de una consulta blkiotune manipulada, lo que provoca una lectura fuera de rango. An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. • http://libvirt.org/git/?p=libvirt.git%3Ba=commitdiff%3Bh=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b http://lists.opensuse.org/opensuse-updates/2014-10/msg00014.html http://lists.opensuse.org/opensuse-updates/2014-10/msg00017.html http://rhn.redhat.com/errata/RHSA-2014-1352.html http://secunia.com/advisories/60291 http://secunia.com/advisories/60895 http://security.gentoo.org/glsa/glsa-201412-04.xml http://security.libvirt.org/2014/0004.html http://www.debian.org/security/2014/dsa-3038 h • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVE-2010-2242 – libvirt: improperly mapped source privileged ports may allow for obtaining privileged resources on the host
https://notcve.org/view.php?id=CVE-2010-2242
Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree. Red Hat libvirt v0.2.0 hasta v0.8.2 crea reglas de iptable con asignaciones inadecuadas de puertos de origen privilegiados, lo que permite a usuarios invitados del SO evitar las restricciones de acceso establecidas aprovechando los valores de dirección IP y puerto-origen, como se ha demostrado copiando y eliminando un arbol de ficheros NFS. • http://libvirt.org/news.html http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044520.html http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044579.html http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html http://ubuntu.com/usn/usn-1008-1 http://ubuntu.com/usn/usn-1008-2 http://ubuntu.com/usn/usn-1008-3 http://www.redhat.com/support/errata/RHSA-2010-0615.html http://www.vupen.com/english/advisories/2010/2062 http • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-2238
https://notcve.org/view.php?id=CVE-2010-2238
Red Hat libvirt, possibly 0.7.2 through 0.8.2, recurses into disk-image backing stores without extracting the defined disk backing-store format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors. Red Hat libvirt, posiblemente v0.7.2 hasta v0.8.2, se repite en almacenes de respaldo de imagen de disco sin extraer el formato de disco de respaldo definido, lo cual puede permitir a usuarios invitados del Sistema Operativo leer ficheros a su elección en el Sistema Operativo anfitrión, y posiblemente tener otros impactos no especificados, a través de vectores desconocidos. • http://libvirt.org/news.html http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044520.html http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044579.html http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html http://ubuntu.com/usn/usn-1008-1 http://ubuntu.com/usn/usn-1008-2 http://ubuntu.com/usn/usn-1008-3 http://www.vupen.com/english/advisories/2010/2763 https://bugzilla.redhat.com/show_bug.cgi?id=607811 • CWE-264: Permissions, Privileges, and Access Controls •