CVE-2014-7823

libvirt: dumpxml: information leak with migratable flag

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag.

El virDomainGetXMLDesc API en Libvirt en versiones anteriores a 1.2.11 permite a usuarios remotos de solo lectura obtener la contraseña VNC utilizando el marcador VIR_DOMAIN_XML_MIGRATABLE, lo que desencadena el uso del marcador VIR_DOMAIN_XML_SECURE.

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-10-03 CVE Reserved
2014-11-11 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-255: Credentials Management Errors

CAPEC

References (10)

URL	Tag	Source
http://secunia.com/advisories/60010	Third Party Advisory
http://secunia.com/advisories/60895	Third Party Advisory
http://secunia.com/advisories/62058	Third Party Advisory
http://secunia.com/advisories/62303	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://security.libvirt.org/2014/0007.html	2017-01-03

URL	Date	SRC
http://lists.opensuse.org/opensuse-updates/2014-11/msg00083.html	2017-01-03
http://security.gentoo.org/glsa/glsa-201412-04.xml	2017-01-03
http://www.ubuntu.com/usn/USN-2404-1	2017-01-03
https://access.redhat.com/security/cve/CVE-2014-7823	2015-01-05
https://bugzilla.redhat.com/show_bug.cgi?id=1160817	2015-01-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				<= 1.2.10 Search vendor "Redhat" for product "Libvirt" and version " <= 1.2.10"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.0 Search vendor "Redhat" for product "Libvirt" and version "1.2.0"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.1 Search vendor "Redhat" for product "Libvirt" and version "1.2.1"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.2 Search vendor "Redhat" for product "Libvirt" and version "1.2.2"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.3 Search vendor "Redhat" for product "Libvirt" and version "1.2.3"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.4 Search vendor "Redhat" for product "Libvirt" and version "1.2.4"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.5 Search vendor "Redhat" for product "Libvirt" and version "1.2.5"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.6 Search vendor "Redhat" for product "Libvirt" and version "1.2.6"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.7 Search vendor "Redhat" for product "Libvirt" and version "1.2.7"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.8 Search vendor "Redhat" for product "Libvirt" and version "1.2.8"		-		Affected
Redhat Search vendor "Redhat"		Libvirt Search vendor "Redhat" for product "Libvirt"				1.2.9 Search vendor "Redhat" for product "Libvirt" and version "1.2.9"		-		Affected