ID CVE-2013-0170
Summary Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c in libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3, 0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering certain errors during an RPC connection, which causes a message to be freed without being removed from the message queue.
References
Vulnerable Configurations
  • OpenSUSE 12.1
    cpe:2.3:o:opensuse:opensuse:12.1
  • OpenSUSE 12.2
    cpe:2.3:o:opensuse:opensuse:12.2
  • Canonical Ubuntu Linux 12.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts
  • Canonical Ubuntu Linux 12.10
    cpe:2.3:o:canonical:ubuntu_linux:12.10
  • SUSE Linux Enterprise Software Development Kit 11.0 Service Pack 2
    cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp2
  • Novell SUSE Linux Enterprise Desktop 11
    cpe:2.3:o:novell:suse_linux:11:-:desktop
  • Novell SUSE Linux Enterprise Server 11
    cpe:2.3:o:novell:suse_linux:11:-:server
  • Fedora 17
    cpe:2.3:o:fedoraproject:fedora:17
  • Fedora 18
    cpe:2.3:o:fedoraproject:fedora:18
  • Red Hat Enterprise Linux 6.0
    cpe:2.3:o:redhat:enterprise_linux:6.0
  • cpe:2.3:a:redhat:libvirt:-:0.9.11
    cpe:2.3:a:redhat:libvirt:-:0.9.11
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.1
    cpe:2.3:a:redhat:libvirt:-:0.9.11.1
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.2
    cpe:2.3:a:redhat:libvirt:-:0.9.11.2
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.3
    cpe:2.3:a:redhat:libvirt:-:0.9.11.3
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.4
    cpe:2.3:a:redhat:libvirt:-:0.9.11.4
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.5
    cpe:2.3:a:redhat:libvirt:-:0.9.11.5
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.6
    cpe:2.3:a:redhat:libvirt:-:0.9.11.6
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.7
    cpe:2.3:a:redhat:libvirt:-:0.9.11.7
  • cpe:2.3:a:redhat:libvirt:-:0.9.11.8
    cpe:2.3:a:redhat:libvirt:-:0.9.11.8
  • Red Hat libvirt 0.9.6
    cpe:2.3:a:redhat:libvirt:0.9.6
  • Red Hat libvirt 0.9.6.1
    cpe:2.3:a:redhat:libvirt:0.9.6.1
  • Red Hat libvirt 0.9.6.2
    cpe:2.3:a:redhat:libvirt:0.9.6.2
  • Red Hat libvirt 0.9.6.3
    cpe:2.3:a:redhat:libvirt:0.9.6.3
  • Red Hat libvirt 0.10.2
    cpe:2.3:a:redhat:libvirt:0.10.2
  • Red Hat libvirt 0.10.2.1
    cpe:2.3:a:redhat:libvirt:0.10.2.1
  • Red Hat libvirt 0.10.2.2
    cpe:2.3:a:redhat:libvirt:0.10.2.2
  • Red Hat libvirt 1.0.0
    cpe:2.3:a:redhat:libvirt:1.0.0
  • Red Hat libvirt 1.0.1
    cpe:2.3:a:redhat:libvirt:1.0.1
CVSS
Base: 9.3 (as of 14-01-2015 - 11:34)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1642.NASL
    description - Rebased to version 0.9.6.4 - CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 64497
    published 2013-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64497
    title Fedora 16 : libvirt-0.9.6.4-1.fc16 (2013-1642)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1708-1.NASL
    description Wenlong Huang discovered that libvirt incorrectly handled certain RPC calls. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-4423) Tingting Zheng discovered that libvirt incorrectly handled cleanup under certain error conditions. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-0170). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 64289
    published 2013-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64289
    title Ubuntu 12.04 LTS / 12.10 : libvirt vulnerabilities (USN-1708-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201309-18.NASL
    description The remote host is affected by the vulnerability described in GLSA-201309-18 (libvirt: Multiple vulnerabilities) An error in the virNetMessageFree() function in rpc/virnetserverclient.c can lead to a use-after-free. Additionally, a socket leak in the remoteDispatchStoragePoolListAllVolumes command can lead to file descriptor exhaustion. Impact : A remote attacker could cause certain errors during an RPC connection to cause a message to be freed without being removed from the message queue, possibly resulting in execution of arbitrary code or a Denial of Service condition. Additionally, a remote attacker could repeatedly issue the command to list all pool volumes, causing a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 70130
    published 2013-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70130
    title GLSA-201309-18 : libvirt: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-108.NASL
    description - Update to libvirt 0.9.11.9 stable release - Fixes CVE-2013-0170 by including cherry picked master commit 46532e3e, bnc#800976 - Fix starting lxc VM e.g from OpenStack bnc#793900 and rh#858104
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74883
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74883
    title openSUSE Security Update : libvirt (openSUSE-SU-2013:0275-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBVIRT-130205.NASL
    description libvirt was updated to fix the following security issue : - A flaw was found in the way message freeing on connection cleanup was handled under certain error conditions. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd or, potentially, escalate their privilages to that of libvirtd process. (CVE-2013-0170) Also following bug has been fixed : - Add managedSave functions to legacy xen driver (bnc#782311)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 64781
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64781
    title SuSE 11.2 Security Update : libvirt (SAT Patch Number 7310)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1626.NASL
    description - Rebased to version 0.9.11.9 - CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 64496
    published 2013-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64496
    title Fedora 17 : libvirt-0.9.11.9-1.fc17 (2013-1626)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0199.NASL
    description Updated libvirt packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) This issue was discovered by Tingting Zheng of Red Hat. All users of libvirt are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 67096
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67096
    title CentOS 6 : libvirt (CESA-2013:0199)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0199.NASL
    description Updated libvirt packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) This issue was discovered by Tingting Zheng of Red Hat. All users of libvirt are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64280
    published 2013-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64280
    title RHEL 6 : libvirt (RHSA-2013:0199)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-105.NASL
    description libvirt was updated to fix some bugs and security issues : Security issues fixed : - Fix crash on error paths of message dispatching, CVE-2013-0170 bnc#800976 - security: Fix libvirtd crash possibility CVE-2012-4423 bnc#780432 Also bugs were fixed : - qemu: Fix probing for guest capabilities bnc#772586 - xen-xm: Generate UUID if not specified bnc#773626 - xenParseXM: don't dereference NULL pointer when script is empty bnc#773621
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74880
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74880
    title openSUSE Security Update : libvirt (openSUSE-SU-2013:0274-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0199.NASL
    description From Red Hat Security Advisory 2013:0199 : Updated libvirt packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) This issue was discovered by Tingting Zheng of Red Hat. All users of libvirt are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 68716
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68716
    title Oracle Linux 6 : libvirt (ELSA-2013-0199)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1644.NASL
    description - Rebased to version 0.10.2.3 - Fix libxl driver to build against xen 4.2 (bz #870689) - Fix possible crash when destroying guests (bz #877110) - Fix loading sysctl file (bz #887017) - Fix svirt memory leak (bz #890039) - Fix attaching PCI netdev to VM (bz #893131) - Fix libvirtd segfault on shutdown (bz #903184) - Raise mem limit to stop qemu processes from getting OOM killed (bz #903432) - CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 64477
    published 2013-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64477
    title Fedora 18 : libvirt-0.10.2.3-1.fc18 (2013-1644)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130128_LIBVIRT_ON_SL6_X.NASL
    description A flaw was found in the way libvirtd handled connection cleanup (when a connection was being closed) under certain error conditions. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the root user. (CVE-2013-0170) After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 64282
    published 2013-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64282
    title Scientific Linux Security Update : libvirt on SL6.x i386/x86_64
redhat via4
advisories
bugzilla
id 893450
title CVE-2013-0170 libvirt: use-after-free in virNetMessageFree()
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment libvirt is earlier than 0:0.9.10-21.el6_3.8
        oval oval:com.redhat.rhsa:tst:20130199005
      • comment libvirt is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581006
    • AND
      • comment libvirt-client is earlier than 0:0.9.10-21.el6_3.8
        oval oval:com.redhat.rhsa:tst:20130199007
      • comment libvirt-client is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581008
    • AND
      • comment libvirt-devel is earlier than 0:0.9.10-21.el6_3.8
        oval oval:com.redhat.rhsa:tst:20130199011
      • comment libvirt-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581010
    • AND
      • comment libvirt-lock-sanlock is earlier than 0:0.9.10-21.el6_3.8
        oval oval:com.redhat.rhsa:tst:20130199013
      • comment libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581014
    • AND
      • comment libvirt-python is earlier than 0:0.9.10-21.el6_3.8
        oval oval:com.redhat.rhsa:tst:20130199009
      • comment libvirt-python is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581012
rhsa
id RHSA-2013:0199
released 2013-01-28
severity Important
title RHSA-2013:0199: libvirt security update (Important)
rpms
  • libvirt-0:0.9.10-21.el6_3.8
  • libvirt-client-0:0.9.10-21.el6_3.8
  • libvirt-devel-0:0.9.10-21.el6_3.8
  • libvirt-lock-sanlock-0:0.9.10-21.el6_3.8
  • libvirt-python-0:0.9.10-21.el6_3.8
refmap via4
bid 57578
confirm
fedora
  • FEDORA-2013-1626
  • FEDORA-2013-1642
  • FEDORA-2013-1644
osvdb 89644
sectrack 1028047
secunia
  • 52001
  • 52003
suse
  • SUSE-SU-2013:0320
  • openSUSE-SU-2013:0274
  • openSUSE-SU-2013:0275
ubuntu USN-1708-1
xf libvirt-virnetmessagefree-code-exec(81552)
Last major update 14-01-2015 - 12:22
Published 08-02-2013 - 15:55
Last modified 22-04-2019 - 13:48
Back to Top