CVE-2013-6456

15.04.2014, 23:55

The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to "paths under /proc/$PID/root" and the virInitctlSetRunLevel function.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.8 UNKNOWN	ADJACENT_NETWORK	MEDIUM		AV:A/AC:M/Au:S/C:N/I:P/A:C
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 47%

Vendor	Product	Version
redhat	libvirt	1.0.1
redhat	libvirt	1.0.2
redhat	libvirt	1.0.3
redhat	libvirt	1.0.4
redhat	libvirt	1.0.5
redhat	libvirt	1.0.5.1
redhat	libvirt	1.0.5.2
redhat	libvirt	1.0.5.3
redhat	libvirt	1.0.5.4
redhat	libvirt	1.0.5.5
redhat	libvirt	1.0.5.6
redhat	libvirt	1.0.6
redhat	libvirt	1.1.0
redhat	libvirt	1.1.1
redhat	libvirt	1.1.2
redhat	libvirt	1.1.3
redhat	libvirt	1.1.4
redhat	libvirt	1.2.0
redhat	libvirt	1.2.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libvirt

bullseye	7.0.0-3+deb11u3 fixed
wheezy	not-affected
squeeze	not-affected
bookworm	9.0.0-4+deb12u1 fixed
sid	10.9.0-1 fixed
trixie	10.9.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libvirt

trusty	not-affected
saucy	Fixed 1.1.1-0ubuntu8.11 released
raring	ignored
quantal	not-affected
precise	not-affected
lucid	not-affected

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=5fc590ad9f4

http://libvirt.org/news.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129199.html

http://lists.opensuse.org/opensuse-updates/2014-05/msg00004.html

http://secunia.com/advisories/56187

http://secunia.com/advisories/56215

http://secunia.com/advisories/60895

http://security.gentoo.org/glsa/glsa-201412-04.xml

http://security.libvirt.org/2013/0018.html

http://www.securityfocus.com/bid/65743

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394

https://bugzilla.redhat.com/show_bug.cgi?id=1045643

http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=5fc590ad9f4

http://libvirt.org/news.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129199.html

http://lists.opensuse.org/opensuse-updates/2014-05/msg00004.html

http://secunia.com/advisories/56187

http://secunia.com/advisories/56215

http://secunia.com/advisories/60895

http://security.gentoo.org/glsa/glsa-201412-04.xml

http://security.libvirt.org/2013/0018.html

http://www.securityfocus.com/bid/65743

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394

https://bugzilla.redhat.com/show_bug.cgi?id=1045643