ID CVE-2012-4423
Summary The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and segmentation fault) via an RPC call with (1) an event as the RPC number or (2) an RPC number whose value is in a "gap" in the RPC dispatch table.
References
Vulnerable Configurations
  • Red Hat libvirt 0.8.8
    cpe:2.3:a:redhat:libvirt:0.8.8
  • Red Hat libvirt 0.6.4
    cpe:2.3:a:redhat:libvirt:0.6.4
  • Red Hat libvirt 0.6.5
    cpe:2.3:a:redhat:libvirt:0.6.5
  • Red Hat libvirt 0.9.1
    cpe:2.3:a:redhat:libvirt:0.9.1
  • Red Hat libvirt 0.9.0
    cpe:2.3:a:redhat:libvirt:0.9.0
  • Red Hat libvirt 0.1.9
    cpe:2.3:a:redhat:libvirt:0.1.9
  • Red Hat libvirt 0.2.0
    cpe:2.3:a:redhat:libvirt:0.2.0
  • Red Hat libvirt 0.1.7
    cpe:2.3:a:redhat:libvirt:0.1.7
  • Red Hat libvirt 0.1.8
    cpe:2.3:a:redhat:libvirt:0.1.8
  • Red Hat libvirt 0.2.3
    cpe:2.3:a:redhat:libvirt:0.2.3
  • Red Hat libvirt 0.3.0
    cpe:2.3:a:redhat:libvirt:0.3.0
  • Red Hat libvirt 0.2.1
    cpe:2.3:a:redhat:libvirt:0.2.1
  • Red Hat libvirt 0.2.2
    cpe:2.3:a:redhat:libvirt:0.2.2
  • Red Hat libvirt 0.1.0
    cpe:2.3:a:redhat:libvirt:0.1.0
  • Red Hat libvirt 0.1.1
    cpe:2.3:a:redhat:libvirt:0.1.1
  • Red Hat libvirt 0.0.5
    cpe:2.3:a:redhat:libvirt:0.0.5
  • Red Hat libvirt 0.0.6
    cpe:2.3:a:redhat:libvirt:0.0.6
  • Red Hat libvirt 0.1.5
    cpe:2.3:a:redhat:libvirt:0.1.5
  • Red Hat libvirt 0.1.6
    cpe:2.3:a:redhat:libvirt:0.1.6
  • Red Hat libvirt 0.1.3
    cpe:2.3:a:redhat:libvirt:0.1.3
  • Red Hat libvirt 0.1.4
    cpe:2.3:a:redhat:libvirt:0.1.4
  • Red Hat libvirt 0.5.1
    cpe:2.3:a:redhat:libvirt:0.5.1
  • Red Hat libvirt 0.8.0
    cpe:2.3:a:redhat:libvirt:0.8.0
  • Red Hat libvirt 0.5.0
    cpe:2.3:a:redhat:libvirt:0.5.0
  • Red Hat libvirt 0.8.1
    cpe:2.3:a:redhat:libvirt:0.8.1
  • Red Hat libvirt 0.4.6
    cpe:2.3:a:redhat:libvirt:0.4.6
  • Red Hat libvirt 0.8.2
    cpe:2.3:a:redhat:libvirt:0.8.2
  • Red Hat libvirt 0.8.3
    cpe:2.3:a:redhat:libvirt:0.8.3
  • Red Hat libvirt 0.4.5
    cpe:2.3:a:redhat:libvirt:0.4.5
  • Red Hat libvirt 0.6.3
    cpe:2.3:a:redhat:libvirt:0.6.3
  • Red Hat libvirt 0.6.2
    cpe:2.3:a:redhat:libvirt:0.6.2
  • Red Hat libvirt 0.6.1
    cpe:2.3:a:redhat:libvirt:0.6.1
  • Red Hat libvirt 0.6.0
    cpe:2.3:a:redhat:libvirt:0.6.0
  • Red Hat libvirt 0.4.0
    cpe:2.3:a:redhat:libvirt:0.4.0
  • Red Hat libvirt 0.3.3
    cpe:2.3:a:redhat:libvirt:0.3.3
  • Red Hat libvirt 0.3.2
    cpe:2.3:a:redhat:libvirt:0.3.2
  • Red Hat libvirt 0.3.1
    cpe:2.3:a:redhat:libvirt:0.3.1
  • Red Hat libvirt 0.8.4
    cpe:2.3:a:redhat:libvirt:0.8.4
  • Red Hat libvirt 0.4.4
    cpe:2.3:a:redhat:libvirt:0.4.4
  • Red Hat libvirt 0.8.5
    cpe:2.3:a:redhat:libvirt:0.8.5
  • Red Hat libvirt 0.4.3
    cpe:2.3:a:redhat:libvirt:0.4.3
  • Red Hat libvirt 0.8.6
    cpe:2.3:a:redhat:libvirt:0.8.6
  • Red Hat libvirt 0.4.2
    cpe:2.3:a:redhat:libvirt:0.4.2
  • Red Hat libvirt 0.8.7
    cpe:2.3:a:redhat:libvirt:0.8.7
  • Red Hat libvirt 0.4.1
    cpe:2.3:a:redhat:libvirt:0.4.1
  • Red Hat libvirt 0.9.8
    cpe:2.3:a:redhat:libvirt:0.9.8
  • Red Hat libvirt 0.0.2
    cpe:2.3:a:redhat:libvirt:0.0.2
  • Red Hat libvirt 0.9.9
    cpe:2.3:a:redhat:libvirt:0.9.9
  • Red Hat libvirt 0.0.1
    cpe:2.3:a:redhat:libvirt:0.0.1
  • Red Hat libvirt 0.9.10
    cpe:2.3:a:redhat:libvirt:0.9.10
  • Red Hat libvirt 0.0.4
    cpe:2.3:a:redhat:libvirt:0.0.4
  • Red Hat libvirt 0.0.3
    cpe:2.3:a:redhat:libvirt:0.0.3
  • Red Hat libvirt 0.9.4
    cpe:2.3:a:redhat:libvirt:0.9.4
  • Red Hat libvirt 0.7.2
    cpe:2.3:a:redhat:libvirt:0.7.2
  • Red Hat libvirt 0.9.5
    cpe:2.3:a:redhat:libvirt:0.9.5
  • Red Hat libvirt 0.7.3
    cpe:2.3:a:redhat:libvirt:0.7.3
  • Red Hat libvirt 0.9.6
    cpe:2.3:a:redhat:libvirt:0.9.6
  • Red Hat libvirt 0.7.0
    cpe:2.3:a:redhat:libvirt:0.7.0
  • Red Hat libvirt 0.9.7
    cpe:2.3:a:redhat:libvirt:0.9.7
  • Red Hat libvirt 0.7.1
    cpe:2.3:a:redhat:libvirt:0.7.1
  • Red Hat libvirt 0.7.6
    cpe:2.3:a:redhat:libvirt:0.7.6
  • Red Hat libvirt 0.9.12
    cpe:2.3:a:redhat:libvirt:0.9.12
  • Red Hat libvirt 0.7.7
    cpe:2.3:a:redhat:libvirt:0.7.7
  • Red Hat libvirt 0.9.11
    cpe:2.3:a:redhat:libvirt:0.9.11
  • Red Hat libvirt 0.7.4
    cpe:2.3:a:redhat:libvirt:0.7.4
  • Red Hat libvirt 0.9.3
    cpe:2.3:a:redhat:libvirt:0.9.3
  • Red Hat libvirt 0.7.5
    cpe:2.3:a:redhat:libvirt:0.7.5
  • Red Hat libvirt 0.9.2
    cpe:2.3:a:redhat:libvirt:0.9.2
  • Red Hat libvirt 0.9.13
    cpe:2.3:a:redhat:libvirt:0.9.13
  • Red Hat libvirt 0.10.0
    cpe:2.3:a:redhat:libvirt:0.10.0
  • Red Hat libvirt 0.10.1
    cpe:2.3:a:redhat:libvirt:0.10.1
CVSS
Base: 5.0 (as of 19-11-2012 - 12:24)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-1359.NASL
    description Updated libvirt packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in libvirtd's RPC call handling. An attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd by sending an RPC message that has an event as the RPC number, or an RPC number that falls into a gap in the RPC dispatch table. (CVE-2012-4423) This issue was discovered by Wenlong Huang of the Red Hat Virtualization QE Team. This update also fixes the following bugs : * When the host_uuid option was present in the libvirtd.conf file, the augeas libvirt lens was unable to parse the file. This bug has been fixed and the augeas libvirt lens now parses libvirtd.conf as expected in the described scenario. (BZ#858988) * Disk hot plug is a two-part action: the qemuMonitorAddDrive() call is followed by the qemuMonitorAddDevice() call. When the first part succeeded but the second one failed, libvirt failed to roll back the first part and the device remained in use even though the disk hot plug failed. With this update, the rollback for the drive addition is properly performed in the described scenario and disk hot plug now works as expected. (BZ#859376) * When a virtual machine was started with an image chain using block devices and a block rebase operation was issued, the operation failed on completion in the blockJobAbort() function. This update relabels and configures cgroups for the backing files and the rebase operation now succeeds. (BZ#860720) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 62520
    published 2012-10-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62520
    title CentOS 6 : libvirt (CESA-2012:1359)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20121011_LIBVIRT_ON_SL6_X.NASL
    description The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in libvirtd's RPC call handling. An attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd by sending an RPC message that has an event as the RPC number, or an RPC number that falls into a gap in the RPC dispatch table. (CVE-2012-4423) This update also fixes the following bugs : - When the host_uuid option was present in the libvirtd.conf file, the augeas libvirt lens was unable to parse the file. This bug has been fixed and the augeas libvirt lens now parses libvirtd.conf as expected in the described scenario. - Disk hot plug is a two-part action: the qemuMonitorAddDrive() call is followed by the qemuMonitorAddDevice() call. When the first part succeeded but the second one failed, libvirt failed to roll back the first part and the device remained in use even though the disk hot plug failed. With this update, the rollback for the drive addition is properly performed in the described scenario and disk hot plug now works as expected. - When a virtual machine was started with an image chain using block devices and a block rebase operation was issued, the operation failed on completion in the blockJobAbort() function. This update relabels and configures cgroups for the backing files and the rebase operation now succeeds. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 62506
    published 2012-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62506
    title Scientific Linux Security Update : libvirt on SL6.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-15634.NASL
    description - Rebased to version 0.9.11.6 - Fix LXC domain startup with selinux=disabled (bz #858104) - CVE-2012-4423 Fix null dereference (bz #857135, bz #857133) - dnsmasq: avoid forwarding queries without a domain (bz #849787) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-09
    plugin id 62551
    published 2012-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62551
    title Fedora 17 : libvirt-0.9.11.6-1.fc17 (2012-15634)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-1359.NASL
    description From Red Hat Security Advisory 2012:1359 : Updated libvirt packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in libvirtd's RPC call handling. An attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd by sending an RPC message that has an event as the RPC number, or an RPC number that falls into a gap in the RPC dispatch table. (CVE-2012-4423) This issue was discovered by Wenlong Huang of the Red Hat Virtualization QE Team. This update also fixes the following bugs : * When the host_uuid option was present in the libvirtd.conf file, the augeas libvirt lens was unable to parse the file. This bug has been fixed and the augeas libvirt lens now parses libvirtd.conf as expected in the described scenario. (BZ#858988) * Disk hot plug is a two-part action: the qemuMonitorAddDrive() call is followed by the qemuMonitorAddDevice() call. When the first part succeeded but the second one failed, libvirt failed to roll back the first part and the device remained in use even though the disk hot plug failed. With this update, the rollback for the drive addition is properly performed in the described scenario and disk hot plug now works as expected. (BZ#859376) * When a virtual machine was started with an image chain using block devices and a block rebase operation was issued, the operation failed on completion in the blockJobAbort() function. This update relabels and configures cgroups for the backing files and the rebase operation now succeeds. (BZ#860720) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68637
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68637
    title Oracle Linux 6 : libvirt (ELSA-2012-1359)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-15640.NASL
    description - Rebased to version 0.9.6.3 - CVE-2012-4423 Fix null dereference (bz #857135, bz #857133) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-09
    plugin id 62569
    published 2012-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62569
    title Fedora 16 : libvirt-0.9.6.3-1.fc16 (2012-15640)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-1359.NASL
    description Updated libvirt packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in libvirtd's RPC call handling. An attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd by sending an RPC message that has an event as the RPC number, or an RPC number that falls into a gap in the RPC dispatch table. (CVE-2012-4423) This issue was discovered by Wenlong Huang of the Red Hat Virtualization QE Team. This update also fixes the following bugs : * When the host_uuid option was present in the libvirtd.conf file, the augeas libvirt lens was unable to parse the file. This bug has been fixed and the augeas libvirt lens now parses libvirtd.conf as expected in the described scenario. (BZ#858988) * Disk hot plug is a two-part action: the qemuMonitorAddDrive() call is followed by the qemuMonitorAddDevice() call. When the first part succeeded but the second one failed, libvirt failed to roll back the first part and the device remained in use even though the disk hot plug failed. With this update, the rollback for the drive addition is properly performed in the described scenario and disk hot plug now works as expected. (BZ#859376) * When a virtual machine was started with an image chain using block devices and a block rebase operation was issued, the operation failed on completion in the blockJobAbort() function. This update relabels and configures cgroups for the backing files and the rebase operation now succeeds. (BZ#860720) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 62505
    published 2012-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62505
    title RHEL 6 : libvirt (RHSA-2012:1359)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1708-1.NASL
    description Wenlong Huang discovered that libvirt incorrectly handled certain RPC calls. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-4423) Tingting Zheng discovered that libvirt incorrectly handled cleanup under certain error conditions. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-0170). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 64289
    published 2013-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64289
    title Ubuntu 12.04 LTS / 12.10 : libvirt vulnerabilities (USN-1708-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-105.NASL
    description libvirt was updated to fix some bugs and security issues : Security issues fixed : - Fix crash on error paths of message dispatching, CVE-2013-0170 bnc#800976 - security: Fix libvirtd crash possibility CVE-2012-4423 bnc#780432 Also bugs were fixed : - qemu: Fix probing for guest capabilities bnc#772586 - xen-xm: Generate UUID if not specified bnc#773626 - xenParseXM: don't dereference NULL pointer when script is empty bnc#773621
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74880
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74880
    title openSUSE Security Update : libvirt (openSUSE-SU-2013:0274-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBVIRT-201211-121102.NASL
    description libvirt received security and bugfixes : - Fixed a libvirt remote denial of service (crash) problem. The following bugs have been fixed :. (CVE-2012-4423) - qemu: Fix probing for guest capabilities - xen-xm: Generate UUID if not specified - xenParseXM: don't dereference NULL pointer when script is empty
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 64201
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64201
    title SuSE 11.2 Security Update : libvirt (SAT Patch Number 7015)
redhat via4
advisories
bugzilla
id 860720
title Relabel and configure cgroups for the backing files on VIR_DOMAIN_BLOCK_JOB_ABORT_PIVOT
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment libvirt is earlier than 0:0.9.10-21.el6_3.5
        oval oval:com.redhat.rhsa:tst:20121359005
      • comment libvirt is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581006
    • AND
      • comment libvirt-client is earlier than 0:0.9.10-21.el6_3.5
        oval oval:com.redhat.rhsa:tst:20121359011
      • comment libvirt-client is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581008
    • AND
      • comment libvirt-devel is earlier than 0:0.9.10-21.el6_3.5
        oval oval:com.redhat.rhsa:tst:20121359007
      • comment libvirt-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581010
    • AND
      • comment libvirt-lock-sanlock is earlier than 0:0.9.10-21.el6_3.5
        oval oval:com.redhat.rhsa:tst:20121359013
      • comment libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581014
    • AND
      • comment libvirt-python is earlier than 0:0.9.10-21.el6_3.5
        oval oval:com.redhat.rhsa:tst:20121359009
      • comment libvirt-python is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581012
rhsa
id RHSA-2012:1359
released 2012-10-11
severity Moderate
title RHSA-2012:1359: libvirt security and bug fix update (Moderate)
rpms
  • libvirt-0:0.9.10-21.el6_3.5
  • libvirt-client-0:0.9.10-21.el6_3.5
  • libvirt-devel-0:0.9.10-21.el6_3.5
  • libvirt-lock-sanlock-0:0.9.10-21.el6_3.5
  • libvirt-python-0:0.9.10-21.el6_3.5
refmap via4
bid 55541
confirm
fedora
  • FEDORA-2012-15634
  • FEDORA-2012-15640
misc https://bugzilla.redhat.com/show_bug.cgi?id=857133
mlist
  • [libvirt] 20120912 [PATCH] Fix libvirtd crash possibility
  • [oss-security] 20120913 Re: CVE Request -- libvirt: null function pointer invocation in virNetServerProgramDispatchCall()
sectrack 1027649
suse openSUSE-SU-2013:0274
ubuntu USN-1708-1
Last major update 07-03-2013 - 23:09
Published 19-11-2012 - 07:10
Back to Top