ID CVE-2013-1962
Summary The remoteDispatchStoragePoolListAllVolumes function in the storage pool manager in libvirt 1.0.5 allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of requests "to list all volumes for the particular pool."
References
Vulnerable Configurations
  • Red Hat libvirt 1.0.5
    cpe:2.3:a:redhat:libvirt:1.0.5
CVSS
Base: 5.0 (as of 29-05-2013 - 11:16)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0831.NASL
    description Updated libvirt packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that libvirtd leaked file descriptors when listing all volumes for a particular pool. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to cause libvirtd to consume all available file descriptors, preventing other users from using libvirtd services (such as starting a new guest) until libvirtd is restarted. (CVE-2013-1962) Red Hat would like to thank Edoardo Comar of IBM for reporting this issue. This update also fixes the following bugs : * Previously, libvirt made control group (cgroup) requests on files that it should not have. With older kernels, such nonsensical cgroup requests were ignored; however, newer kernels are stricter, resulting in libvirt logging spurious warnings and failures to the libvirtd and audit logs. The audit log failures displayed by the ausearch tool were similar to the following : root [date] - failed cgroup allow path rw /dev/kqemu With this update, libvirt no longer attempts the nonsensical cgroup actions, leaving only valid attempts in the libvirtd and audit logs (making it easier to search for real cases of failure). (BZ#958837) * Previously, libvirt used the wrong variable when constructing audit messages. This led to invalid audit messages, causing ausearch to format certain entries as having 'path=(null)' instead of the correct path. This could prevent ausearch from locating events related to cgroup device ACL modifications for guests managed by libvirt. With this update, the audit messages are generated correctly, preventing loss of audit coverage. (BZ#958839) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 66489
    published 2013-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66489
    title RHEL 6 : libvirt (RHSA-2013:0831)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0831.NASL
    description From Red Hat Security Advisory 2013:0831 : Updated libvirt packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that libvirtd leaked file descriptors when listing all volumes for a particular pool. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to cause libvirtd to consume all available file descriptors, preventing other users from using libvirtd services (such as starting a new guest) until libvirtd is restarted. (CVE-2013-1962) Red Hat would like to thank Edoardo Comar of IBM for reporting this issue. This update also fixes the following bugs : * Previously, libvirt made control group (cgroup) requests on files that it should not have. With older kernels, such nonsensical cgroup requests were ignored; however, newer kernels are stricter, resulting in libvirt logging spurious warnings and failures to the libvirtd and audit logs. The audit log failures displayed by the ausearch tool were similar to the following : root [date] - failed cgroup allow path rw /dev/kqemu With this update, libvirt no longer attempts the nonsensical cgroup actions, leaving only valid attempts in the libvirtd and audit logs (making it easier to search for real cases of failure). (BZ#958837) * Previously, libvirt used the wrong variable when constructing audit messages. This led to invalid audit messages, causing ausearch to format certain entries as having 'path=(null)' instead of the correct path. This could prevent ausearch from locating events related to cgroup device ACL modifications for guests managed by libvirt. With this update, the audit messages are generated correctly, preventing loss of audit coverage. (BZ#958839) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68824
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68824
    title Oracle Linux 6 : libvirt (ELSA-2013-0831)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-8635.NASL
    description - Rebased to version 1.0.5.1 - Follow updated packaging guidelines for user alloc (bz #924501) - CVE-2013-1962 Open files DoS (bz #963789, bz #953107) - Fix stream operations like screenshot (bz #960879) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 66619
    published 2013-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66619
    title Fedora 19 : libvirt-1.0.5.1-1.fc19 (2013-8635)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130516_LIBVIRT_ON_SL6_X.NASL
    description It was found that libvirtd leaked file descriptors when listing all volumes for a particular pool. A remote attacker able to establish a read- only connection to libvirtd could use this flaw to cause libvirtd to consume all available file descriptors, preventing other users from using libvirtd services (such as starting a new guest) until libvirtd is restarted. (CVE-2013-1962) This update also fixes the following bugs : - Previously, libvirt made control group (cgroup) requests on files that it should not have. With older kernels, such nonsensical cgroup requests were ignored; however, newer kernels are stricter, resulting in libvirt logging spurious warnings and failures to the libvirtd and audit logs. The audit log failures displayed by the ausearch tool were similar to the following : root [date] - failed cgroup allow path rw /dev/kqemu With this update, libvirt no longer attempts the nonsensical cgroup actions, leaving only valid attempts in the libvirtd and audit logs (making it easier to search for real cases of failure). - Previously, libvirt used the wrong variable when constructing audit messages. This led to invalid audit messages, causing ausearch to format certain entries as having 'path=(null)' instead of the correct path. This could prevent ausearch from locating events related to cgroup device ACL modifications for guests managed by libvirt. With this update, the audit messages are generated correctly, preventing loss of audit coverage. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 66491
    published 2013-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66491
    title Scientific Linux Security Update : libvirt on SL6.x i386/x86_64
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201309-18.NASL
    description The remote host is affected by the vulnerability described in GLSA-201309-18 (libvirt: Multiple vulnerabilities) An error in the virNetMessageFree() function in rpc/virnetserverclient.c can lead to a use-after-free. Additionally, a socket leak in the remoteDispatchStoragePoolListAllVolumes command can lead to file descriptor exhaustion. Impact : A remote attacker could cause certain errors during an RPC connection to cause a message to be freed without being removed from the message queue, possibly resulting in execution of arbitrary code or a Denial of Service condition. Additionally, a remote attacker could repeatedly issue the command to list all pool volumes, causing a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 70130
    published 2013-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70130
    title GLSA-201309-18 : libvirt: Multiple vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1895-1.NASL
    description It was discovered that libvirt incorrectly handled certain storage pool requests. A remote attacker could use this issue to cause libvirt to consume resources, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 67139
    published 2013-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67139
    title Ubuntu 13.04 : libvirt vulnerability (USN-1895-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-463.NASL
    description This update of libvirt fixes two problems : - fix leak after listing all volumes - CVE-2013-1962 ca697e90-CVE-2013-1962.patch bnc#820397 - Fix parsing of bond interface XML 5ba077dc-iface-bond.patch bnc#810893
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75021
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75021
    title openSUSE Security Update : libvirt (openSUSE-SU-2013:0885-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0831.NASL
    description Updated libvirt packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that libvirtd leaked file descriptors when listing all volumes for a particular pool. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to cause libvirtd to consume all available file descriptors, preventing other users from using libvirtd services (such as starting a new guest) until libvirtd is restarted. (CVE-2013-1962) Red Hat would like to thank Edoardo Comar of IBM for reporting this issue. This update also fixes the following bugs : * Previously, libvirt made control group (cgroup) requests on files that it should not have. With older kernels, such nonsensical cgroup requests were ignored; however, newer kernels are stricter, resulting in libvirt logging spurious warnings and failures to the libvirtd and audit logs. The audit log failures displayed by the ausearch tool were similar to the following : root [date] - failed cgroup allow path rw /dev/kqemu With this update, libvirt no longer attempts the nonsensical cgroup actions, leaving only valid attempts in the libvirtd and audit logs (making it easier to search for real cases of failure). (BZ#958837) * Previously, libvirt used the wrong variable when constructing audit messages. This led to invalid audit messages, causing ausearch to format certain entries as having 'path=(null)' instead of the correct path. This could prevent ausearch from locating events related to cgroup device ACL modifications for guests managed by libvirt. With this update, the audit messages are generated correctly, preventing loss of audit coverage. (BZ#958839) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 66485
    published 2013-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66485
    title CentOS 6 : libvirt (CESA-2013:0831)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-8681.NASL
    description - Rebased to version 0.10.2.5 - Fix creating snapshot on lvm pool (bz #955371) - Properly escape audit paths (bz #922186) - Follow updated packaging guidelines for user alloc (bz #924501) - CVE-2013-1962 Open files DoS (bz #963789, bz #953107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 66648
    published 2013-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66648
    title Fedora 18 : libvirt-0.10.2.5-1.fc18 (2013-8681)
redhat via4
advisories
bugzilla
id 958839
title Cgroup audit events with path are not escaped
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment libvirt is earlier than 0:0.10.2-18.el6_4.5
        oval oval:com.redhat.rhsa:tst:20130831005
      • comment libvirt is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581006
    • AND
      • comment libvirt-client is earlier than 0:0.10.2-18.el6_4.5
        oval oval:com.redhat.rhsa:tst:20130831011
      • comment libvirt-client is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581008
    • AND
      • comment libvirt-devel is earlier than 0:0.10.2-18.el6_4.5
        oval oval:com.redhat.rhsa:tst:20130831007
      • comment libvirt-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581010
    • AND
      • comment libvirt-lock-sanlock is earlier than 0:0.10.2-18.el6_4.5
        oval oval:com.redhat.rhsa:tst:20130831013
      • comment libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581014
    • AND
      • comment libvirt-python is earlier than 0:0.10.2-18.el6_4.5
        oval oval:com.redhat.rhsa:tst:20130831009
      • comment libvirt-python is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20131581012
rhsa
id RHSA-2013:0831
released 2013-05-16
severity Moderate
title RHSA-2013:0831: libvirt security and bug fix update (Moderate)
rpms
  • libvirt-0:0.10.2-18.el6_4.5
  • libvirt-client-0:0.10.2-18.el6_4.5
  • libvirt-devel-0:0.10.2-18.el6_4.5
  • libvirt-lock-sanlock-0:0.10.2-18.el6_4.5
  • libvirt-python-0:0.10.2-18.el6_4.5
refmap via4
bid 59937
confirm
fedora
  • FEDORA-2013-8635
  • FEDORA-2013-8681
mlist
  • [libvir-list] 20130516 [libvirt] [PATCH] daemon: fix leak after listing all volumes
  • [oss-security] 20130516 CVE-2013-1962 libvirt: DoS (max count of open files exhaustion) due sockets leak in the storage pool
osvdb 93451
sectrack 1028577
secunia
  • 53440
  • 53475
suse openSUSE-SU-2013:0885
ubuntu USN-1895-1
xf libvirt-cve20131962-dos(84341)
Last major update 30-11-2013 - 23:27
Published 28-05-2013 - 20:55
Last modified 28-08-2017 - 21:33
Back to Top