Debian dla-3778 : libnss-libvirt - security update

medium Nessus Plugin ID 192736

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3778 advisory.

------------------------------------------------------------------------- Debian LTS Advisory DLA-3778-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin April 01, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libvirt Version : 5.0.0-4+deb10u2 CVE ID : CVE-2020-10703 CVE-2020-12430 CVE-2020-25637 CVE-2021-3631 CVE-2021-3667 CVE-2021-3975 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496 Debian Bug : 959447 971555 990709 991594 1002535 1009075 1066058 1067461

Multiple vulnerabilities were found in libvirt, a C toolkit to interact with the virtualization capabilities of Linux, which could lead to denial of service or information disclosure.

CVE-2020-10703

A NULL pointer dereference was found in the libvirt API that is responsible for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon, resulting in a potential denial of service.

CVE-2020-12430

A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the domstats command, resulting in a potential denial of service.

CVE-2020-25637

A double free memory issue was found in the libvirt API that is responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2021-3631

An issue was found in the generation of SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement.

CVE-2021-3667

An improper locking issue was found in the virStoragePoolLookupByTargetPath API. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition.

CVE-2021-3975

A use-after-free issue was found in libvirt in qemuProcessHandleMonitorEOF(), where the qemuMonitorUnregister() function is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.

CVE-2021-4147

Jim Fehlig discovered that a malicious guest using the libxl driver could cause libvirtd on the host to deadlock or crash when continuously rebooting itself.

CVE-2022-0897

A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).

CVE-2024-1441

An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.

CVE-2024-2494

The ALT Linux Team discovered that the RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length therefore results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.

CVE-2024-2496

A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash.

For Debian 10 buster, these problems have been fixed in version 5.0.0-4+deb10u2.

We recommend that you upgrade your libvirt packages.

For the detailed security status of libvirt please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libvirt

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libnss-libvirt packages.

Plugin Details

Severity: Medium

ID: 192736

File Name: debian_DLA-3778.nasl

Version: 1.1

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 4/1/2024

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-25637

CVSS v3

Risk Factor: Medium

Base Score: 6.7

Temporal Score: 6

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libvirt-daemon-driver-storage-zfs, p-cpe:/a:debian:debian_linux:libvirt-daemon-system, p-cpe:/a:debian:debian_linux:libvirt0, p-cpe:/a:debian:debian_linux:libvirt-clients, p-cpe:/a:debian:debian_linux:libvirt-daemon, p-cpe:/a:debian:debian_linux:libvirt-daemon-driver-storage-gluster, p-cpe:/a:debian:debian_linux:libvirt-dev, p-cpe:/a:debian:debian_linux:libvirt-sanlock, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:libnss-libvirt, p-cpe:/a:debian:debian_linux:libvirt-doc, p-cpe:/a:debian:debian_linux:libvirt-wireshark, p-cpe:/a:debian:debian_linux:libvirt-daemon-driver-storage-rbd

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/1/2024

Vulnerability Publication Date: 4/28/2020

Reference Information

CVE: CVE-2020-10703, CVE-2020-12430, CVE-2020-25637, CVE-2021-3631, CVE-2021-3667, CVE-2021-3975, CVE-2021-4147, CVE-2022-0897, CVE-2024-1441, CVE-2024-2494, CVE-2024-2496

IAVA: 2024-A-0184

Detections

Analytics