Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libvirt: Setting empty VNC password allows access to unauthorized users (CVE-2016-5008)

  - libvirt: TLS certificate verification disabled for clients (CVE-2017-1000256)

  - libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka     RBD), which allows local users to obtain sensitive information via a process listing. (CVE-2015-5160)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libvirt: TLS certificate verification disabled for clients (CVE-2017-1000256)

  - Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3)     qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly     verify that the disk is attached, which allows remote read-only attackers to cause a denial of service     (libvirtd crash) via the virDomainDetachDeviceFlags command. (CVE-2013-6458)

  - libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and     hang) via a crafted XML document containing an XML external entity declaration in conjunction with an     entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an     XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of     some vectors. CVE-2014-5177 is used for other API methods. (CVE-2014-0179)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The following packages have been upgraded to a newer upstream version:
libvirt (2.0.0).

Security Fix(es) :

  - It was found that the libvirt daemon, when using RBD     (RADOS Block Device), leaked private credentials to the     process list. A local attacker could use this flaw to     perform certain privileged operations within the     cluster. (CVE-2015-5160)

  - A path-traversal flaw was found in the way the libvirt     daemon handled filesystem names for storage volumes. A     libvirt user with privileges to create storage volumes     and without privileges to create and modify domains     could possibly use this flaw to escalate their     privileges. (CVE-2015-5313)

  - It was found that setting a VNC password to an empty     string in libvirt did not disable all access to the VNC     server as documented, instead it allowed access with no     authentication required. An attacker could use this flaw     to access a VNC server with an empty VNC password     without any authentication. (CVE-2016-5008)

The remote host is affected by the vulnerability described in GLSA-201612-10 (libvirt: Directory traversal)

    Normally, only privileged users can coerce libvirt into creating or       opening existing files using the virStorageVol APIs; and such users       already have full privilege to create any domain XML.
    But in the case of fine-grained ACLs, it is feasible that a user can be       granted storage_vol:create but not domain:write, and it violates       assumptions if such a user can abuse libvirt to access files outside of       the storage pool.
  Impact :

    When fine-grained Access Control Lists (ACL) are in effect, an       authenticated local user with storage_vol:create permission but without       domain:write permission maybe able to create or access arbitrary files       outside of the storage pool.
  Workaround :

    Don&rsquo;t make use of fine-grained Access Control Lists (ACL) in libvirt;
      In Gentoo, libvirt&rsquo;s ACL support is disable by default unless you       enable the &ldquo;policykit&rdquo; USE flag.

An update for libvirt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems.
In addition, libvirt provides tools for remote management of virtualized systems.

The following packages have been upgraded to a newer upstream version:
libvirt (2.0.0). (BZ#830971, BZ#1286679)

Security Fix(es) :

* It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. (CVE-2015-5160)

* A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. (CVE-2015-5313)

* It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication. (CVE-2016-5008)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

This update for libvirt fixes the following issues :

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update to libvirt 1.2.18.2 fixes the following minor security issue :

  - CVE-2015-5313: Directory traversal allowed privilege     escalation (bsc#953110)

The following bugs were fixed :

  - bsc#952849: Don't add apparmor deny rw rule for 9P     readonly mounts.

  - bsc#960305: libxl: support parsing and formatting vif     bandwidth

  - bsc#954872: libxl: Add support for     block-{dmmd,drbd,npiv} scripts

  - bsc#964465: Remove 'Wants=xencommons.service' from     libvirtd service file

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebased to version 1.2.18.2 * disk backend is not     removed properly when disk frontent hotplug fails (bz     #1265968) * Fix TPM cancel path on newer kernels (bz     #1244895) * Remove timeout for libvirt-guests.service     (bz #1195544) * CVE-2015-5313 libvirt: filesystem     storage volume names path traversal flaw (bz #1291433) *     Fix VM names with non-ascii (bz #1062943) * Fix     backwards migration with graphics listen address (bz     #1276883)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebased to version 1.2.13.2 * disk backend is not     removed properly when disk frontent hotplug fails (bz     #1265968) * Fix TPM cancel path on newer kernels (bz     #1244895) * Remove timeout for libvirt-guests.service     (bz #1195544) * CVE-2015-5313 libvirt: filesystem     storage volume names path traversal flaw (bz #1291433) *     Fix VM names with non-ascii (bz #1062943) * Fix     backwards migration with graphics listen address (bz     #1276883)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

libvirt was updated to fix one security issue and several non-security issues.

This security issue was fixed :

  - CVE-2015-0236: libvirt allowed remote authenticated     users to obtain the VNC password by using the     VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot     to the virDomainSnapshotGetXMLDesc interface or (2)     image to the virDomainSaveImageGetXMLDesc interface.
    (bsc#914693)

  - CVE-2015-5313: path traversal vulnerability allowed     libvirtd process to write arbitrary files into file     system using root permissions (bsc#953110)

Theses non-security issues were fixed :

  - bsc#948686: Use PAUSED state for domains that are     starting up.

  - bsc#903757: Provide nodeGetSecurityModel implementation     in libxl.

  - bsc#938228: Set disk type to BLOCK when driver is not     tap or file.

  - bsc#948516: Fix profile_status to distinguish between     errors and unconfined domains.

  - bsc#936524: Fix error starting lxc containers with     direct interfaces.

  - bsc#921555: Fixed apparmor generated profile for PCI     hostdevs.

  - bsc#899334: Include additional upstream fixes for     systemd TerminateMachine.

  - bsc#921586: Fix security driver default settings in     /etc/libvirt/qemu.conf.

  - bsc#921355: Fixed a number of QEMU apparmor abstraction     problems.

  - bsc#911737: Additional fix for the case where security     labels aren't automatically set.

  - bsc#914297: Allow setting the URL of an SMT server to     use in place of SCC.

  - bsc#904432: Backported route definition changes.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Maintenance update for openSUSE13.1 libvirt package.

  - Fix cve-2015-5313: directory directory traversal     privilege escalation vulnerability.
    e8643ef6-cve-2015-5313.patch bsc#953110

  - qemu: Call qemuSetupHostdevCGroup later during hotplug     05e149f9-call-qemuSetupHostdevCGroup-later.patch qemu:
    hotplug: Only label hostdev after checking device     conflicts ee414b5d-fix-qemu-hotplug-usb-hostdev.patch     bsc#863933 

  - libxl: support virtual sound devices in HVM domains     c0d3f608-libxl-soundhw.patch bsc#875216

This update for libvirt fixes the following issues :

  - CVE-2015-5313: directory directory traversal privilege     escalation vulnerability. (boo#953110)

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2867-1 advisory.

    It was discovered that libvirt incorrectly handled the firewall rules on bridge networks when the daemon     was restarted. This could result in an unintended firewall configuration. This issue only applied to     Ubuntu 12.04 LTS. (CVE-2011-4600)

    Peter Krempa discovered that libvirt incorrectly handled locking when certain ACL checks failed. A local     attacker could use this issue to cause libvirt to stop responding, resulting in a denial of service. This     issue only applied to Ubuntu 14.04 LTS. (CVE-2014-8136)

    Luyao Huang discovered that libvirt incorrectly handled VNC passwords in shapshot and image files. A     remote authenticated user could use this issue to possibly obtain VNC passwords. This issue only affected     Ubuntu 14.04 LTS. (CVE-2015-0236)

    Han Han discovered that libvirt incorrectly handled volume creation failure when used with NFS. A remote     authenticated user could use this issue to cause libvirt to crash, resulting in a denial of service. This     issue only applied to Ubuntu 15.10. (CVE-2015-5247)

    Ossi Herrala and Joonas Kuorilehto discovered that libvirt incorrectly performed storage pool name     validation. A remote authenticated user could use this issue to bypass ACLs and gain access to unintended     files. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-5313)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Libvit development team reports :

Various virStorageVol* API operate on user-supplied volume names by concatenating the volume name to the pool location. Note that the virStoragePoolListVolumes API, when used on a storage pool backed by a directory in a file system, will only list volumes immediately in that directory (there is no traversal into subdirectories). However, other APIs such as virStorageVolCreateXML were not checking if a potential volume name represented one of the volumes that could be returned by virStoragePoolListVolumes; because they were not rejecting the use of '/' in a volume name.

Because no checking was done on volume names, a user could supply a potential volume name of something like '../../../etc/passwd' to attempt to access a file not belonging to the storage pool. When fine-grained Access Control Lists (ACL) are in effect, a user with storage_vol:create ACL permission but lacking domain:write permission could thus abuse virStorageVolCreateXML and similar APIs to gain access to files not normally permitted to that user. Fortunately, it appears that the only APIs that could leak information or corrupt files require read-write connection to libvirtd; and when ACLs are not in use (the default without any further configuration), a user with read-write access can already be considered to have full access to the machine, and without an escalation of privilege there is no security problem.

ID	Name	Product	Family	Severity
199223	RHEL 6 : libvirt (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199214	RHEL 5 : libvirt (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
95846	Scientific Linux Security Update : libvirt on SL7.x x86_64 (20161103)	Nessus	Scientific Linux Local Security Checks	critical
95525	GLSA-201612-10 : libvirt: Directory traversal	Nessus	Gentoo Local Security Checks	low
95324	CentOS 7 : libvirt (CESA-2016:2577)	Nessus	CentOS Local Security Checks	critical
94700	Oracle Linux 7 : libvirt (ELSA-2016-2577)	Nessus	Oracle Linux Local Security Checks	critical
94540	RHEL 7 : libvirt (RHSA-2016:2577)	Nessus	Red Hat Local Security Checks	critical
90346	SUSE SLED11 / SLES11 Security Update : libvirt (SUSE-SU-2016:0931-1)	Nessus	SuSE Local Security Checks	low
90305	SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2016:0923-1)	Nessus	SuSE Local Security Checks	low
89197	Fedora 23 : libvirt-1.2.18.2-1.fc23 (2015-30b347dff1)	Nessus	Fedora Local Security Checks	low
89191	Fedora 22 : libvirt-1.2.13.2-1.fc22 (2015-2c9678da8c)	Nessus	Fedora Local Security Checks	low
88560	SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2016:0304-1)	Nessus	SuSE Local Security Checks	low
88395	openSUSE Security Update : libvirt (openSUSE-2016-82)	Nessus	SuSE Local Security Checks	low
88160	openSUSE Security Update : libvirt (openSUSE-2016-77)	Nessus	SuSE Local Security Checks	low
87888	Ubuntu 14.04 LTS : libvirt vulnerabilities (USN-2867-1)	Nessus	Ubuntu Local Security Checks	medium
87515	FreeBSD : libvirt -- ACL bypass using ../ to access beyond storage pool (f714b4c9-a6c1-11e5-88d7-047d7b492d07)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2015-5313

low

Tenable Plugins

critical

high

critical

low

critical

critical

critical

low

low

low

low

low

low

low

medium

low