ID CVE-2015-5313
Summary Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name.
References
Vulnerable Configurations
  • Red Hat libvirt
    cpe:2.3:a:redhat:libvirt
CVSS
Base: 1.9 (as of 18-04-2016 - 11:20)
Impact:
Exploitability:
CWE CWE-22
CAPEC
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0304-1.NASL
    description libvirt was updated to fix one security issue and several non-security issues. This security issue was fixed : - CVE-2015-0236: libvirt allowed remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface. (bsc#914693) - CVE-2015-5313: path traversal vulnerability allowed libvirtd process to write arbitrary files into file system using root permissions (bsc#953110) Theses non-security issues were fixed : - bsc#948686: Use PAUSED state for domains that are starting up. - bsc#903757: Provide nodeGetSecurityModel implementation in libxl. - bsc#938228: Set disk type to BLOCK when driver is not tap or file. - bsc#948516: Fix profile_status to distinguish between errors and unconfined domains. - bsc#936524: Fix error starting lxc containers with direct interfaces. - bsc#921555: Fixed apparmor generated profile for PCI hostdevs. - bsc#899334: Include additional upstream fixes for systemd TerminateMachine. - bsc#921586: Fix security driver default settings in /etc/libvirt/qemu.conf. - bsc#921355: Fixed a number of QEMU apparmor abstraction problems. - bsc#911737: Additional fix for the case where security labels aren't automatically set. - bsc#914297: Allow setting the URL of an SMT server to use in place of SCC. - bsc#904432: Backported route definition changes. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 88560
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88560
    title SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2016:0304-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0923-1.NASL
    description This update to libvirt 1.2.18.2 fixes the following minor security issue : - CVE-2015-5313: Directory traversal allowed privilege escalation (bsc#953110) The following bugs were fixed : - bsc#952849: Don't add apparmor deny rw rule for 9P readonly mounts. - bsc#960305: libxl: support parsing and formatting vif bandwidth - bsc#954872: libxl: Add support for block-{dmmd,drbd,npiv} scripts - bsc#964465: Remove 'Wants=xencommons.service' from libvirtd service file Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90305
    published 2016-04-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90305
    title SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2016:0923-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F714B4C9A6C111E588D7047D7B492D07.NASL
    description Libvit development team reports : Various virStorageVol* API operate on user-supplied volume names by concatenating the volume name to the pool location. Note that the virStoragePoolListVolumes API, when used on a storage pool backed by a directory in a file system, will only list volumes immediately in that directory (there is no traversal into subdirectories). However, other APIs such as virStorageVolCreateXML were not checking if a potential volume name represented one of the volumes that could be returned by virStoragePoolListVolumes; because they were not rejecting the use of '/' in a volume name. Because no checking was done on volume names, a user could supply a potential volume name of something like '../../../etc/passwd' to attempt to access a file not belonging to the storage pool. When fine-grained Access Control Lists (ACL) are in effect, a user with storage_vol:create ACL permission but lacking domain:write permission could thus abuse virStorageVolCreateXML and similar APIs to gain access to files not normally permitted to that user. Fortunately, it appears that the only APIs that could leak information or corrupt files require read-write connection to libvirtd; and when ACLs are not in use (the default without any further configuration), a user with read-write access can already be considered to have full access to the machine, and without an escalation of privilege there is no security problem.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 87515
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87515
    title FreeBSD : libvirt -- ACL bypass using ../ to access beyond storage pool (f714b4c9-a6c1-11e5-88d7-047d7b492d07)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-77.NASL
    description This update for libvirt fixes the following issues : - CVE-2015-5313: directory directory traversal privilege escalation vulnerability. (boo#953110)
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88160
    published 2016-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88160
    title openSUSE Security Update : libvirt (openSUSE-2016-77)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0931-1.NASL
    description This update for libvirt fixes the following issues : Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90346
    published 2016-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90346
    title SUSE SLED11 / SLES11 Security Update : libvirt (SUSE-SU-2016:0931-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2577.NASL
    description From Red Hat Security Advisory 2016:2577 : An update for libvirt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a newer upstream version: libvirt (2.0.0). (BZ#830971, BZ#1286679) Security Fix(es) : * It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. (CVE-2015-5160) * A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. (CVE-2015-5313) * It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication. (CVE-2016-5008) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 94700
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94700
    title Oracle Linux 7 : libvirt (ELSA-2016-2577)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-82.NASL
    description Maintenance update for openSUSE13.1 libvirt package. - Fix cve-2015-5313: directory directory traversal privilege escalation vulnerability. e8643ef6-cve-2015-5313.patch bsc#953110 - qemu: Call qemuSetupHostdevCGroup later during hotplug 05e149f9-call-qemuSetupHostdevCGroup-later.patch qemu: hotplug: Only label hostdev after checking device conflicts ee414b5d-fix-qemu-hotplug-usb-hostdev.patch bsc#863933 - libxl: support virtual sound devices in HVM domains c0d3f608-libxl-soundhw.patch bsc#875216
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88395
    published 2016-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88395
    title openSUSE Security Update : libvirt (openSUSE-2016-82)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2577.NASL
    description An update for libvirt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a newer upstream version: libvirt (2.0.0). (BZ#830971, BZ#1286679) Security Fix(es) : * It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. (CVE-2015-5160) * A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. (CVE-2015-5313) * It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication. (CVE-2016-5008) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 94540
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94540
    title RHEL 7 : libvirt (RHSA-2016:2577)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2867-1.NASL
    description It was discovered that libvirt incorrectly handled the firewall rules on bridge networks when the daemon was restarted. This could result in an unintended firewall configuration. This issue only applied to Ubuntu 12.04 LTS. (CVE-2011-4600) Peter Krempa discovered that libvirt incorrectly handled locking when certain ACL checks failed. A local attacker could use this issue to cause libvirt to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-8136) Luyao Huang discovered that libvirt incorrectly handled VNC passwords in shapshot and image files. A remote authenticated user could use this issue to possibly obtain VNC passwords. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-0236) Han Han discovered that libvirt incorrectly handled volume creation failure when used with NFS. A remote authenticated user could use this issue to cause libvirt to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-5247) Ossi Herrala and Joonas Kuorilehto discovered that libvirt incorrectly performed storage pool name validation. A remote authenticated user could use this issue to bypass ACLs and gain access to unintended files. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-5313). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 87888
    published 2016-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87888
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : libvirt vulnerabilities (USN-2867-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-30B347DFF1.NASL
    description - Rebased to version 1.2.18.2 * disk backend is not removed properly when disk frontent hotplug fails (bz #1265968) * Fix TPM cancel path on newer kernels (bz #1244895) * Remove timeout for libvirt-guests.service (bz #1195544) * CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw (bz #1291433) * Fix VM names with non-ascii (bz #1062943) * Fix backwards migration with graphics listen address (bz #1276883) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89197
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89197
    title Fedora 23 : libvirt-1.2.18.2-1.fc23 (2015-30b347dff1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201612-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201612-10 (libvirt: Directory traversal) Normally, only privileged users can coerce libvirt into creating or opening existing files using the virStorageVol APIs; and such users already have full privilege to create any domain XML. But in the case of fine-grained ACLs, it is feasible that a user can be granted storage_vol:create but not domain:write, and it violates assumptions if such a user can abuse libvirt to access files outside of the storage pool. Impact : When fine-grained Access Control Lists (ACL) are in effect, an authenticated local user with storage_vol:create permission but without domain:write permission maybe able to create or access arbitrary files outside of the storage pool. Workaround : Don’t make use of fine-grained Access Control Lists (ACL) in libvirt; In Gentoo, libvirt’s ACL support is disable by default unless you enable the “policykit” USE flag.
    last seen 2019-02-21
    modified 2016-12-05
    plugin id 95525
    published 2016-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95525
    title GLSA-201612-10 : libvirt: Directory traversal
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-2C9678DA8C.NASL
    description - Rebased to version 1.2.13.2 * disk backend is not removed properly when disk frontent hotplug fails (bz #1265968) * Fix TPM cancel path on newer kernels (bz #1244895) * Remove timeout for libvirt-guests.service (bz #1195544) * CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw (bz #1291433) * Fix VM names with non-ascii (bz #1062943) * Fix backwards migration with graphics listen address (bz #1276883) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89191
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89191
    title Fedora 22 : libvirt-1.2.13.2-1.fc22 (2015-2c9678da8c)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2577.NASL
    description An update for libvirt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a newer upstream version: libvirt (2.0.0). (BZ#830971, BZ#1286679) Security Fix(es) : * It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. (CVE-2015-5160) * A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. (CVE-2015-5313) * It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication. (CVE-2016-5008) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95324
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95324
    title CentOS 7 : libvirt (CESA-2016:2577)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_LIBVIRT_ON_SL7_X.NASL
    description The following packages have been upgraded to a newer upstream version: libvirt (2.0.0). Security Fix(es) : - It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. (CVE-2015-5160) - A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. (CVE-2015-5313) - It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication. (CVE-2016-5008)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 95846
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95846
    title Scientific Linux Security Update : libvirt on SL7.x x86_64
redhat via4
advisories
rhsa
id RHSA-2016:2577
rpms
  • libvirt-0:2.0.0-10.el7
  • libvirt-client-0:2.0.0-10.el7
  • libvirt-daemon-0:2.0.0-10.el7
  • libvirt-daemon-config-network-0:2.0.0-10.el7
  • libvirt-daemon-config-nwfilter-0:2.0.0-10.el7
  • libvirt-daemon-driver-interface-0:2.0.0-10.el7
  • libvirt-daemon-driver-lxc-0:2.0.0-10.el7
  • libvirt-daemon-driver-network-0:2.0.0-10.el7
  • libvirt-daemon-driver-nodedev-0:2.0.0-10.el7
  • libvirt-daemon-driver-nwfilter-0:2.0.0-10.el7
  • libvirt-daemon-driver-qemu-0:2.0.0-10.el7
  • libvirt-daemon-driver-secret-0:2.0.0-10.el7
  • libvirt-daemon-driver-storage-0:2.0.0-10.el7
  • libvirt-daemon-kvm-0:2.0.0-10.el7
  • libvirt-daemon-lxc-0:2.0.0-10.el7
  • libvirt-devel-0:2.0.0-10.el7
  • libvirt-docs-0:2.0.0-10.el7
  • libvirt-lock-sanlock-0:2.0.0-10.el7
  • libvirt-login-shell-0:2.0.0-10.el7
  • libvirt-nss-0:2.0.0-10.el7
refmap via4
bid 90913
confirm