Ubuntu 12.04 LTS / 12.10 / 13.10 : libvirt vulnerabilities (USN-2093-1)

Ubuntu Security Notice (C) 2014 Canonical, Inc. / NASL script (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Martin Kletzander discovered that libvirt incorrectly handled reading
memory tunables from LXC guests. A local user could possibly use this
flaw to cause libvirtd to crash, resulting in a denial of service.
This issue only affected Ubuntu 13.10. (CVE-2013-6436)

Dario Faggioli discovered that libvirt incorrectly handled the libxl
driver. A local user could possibly use this flaw to cause libvirtd to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 13.10. (CVE-2013-6457)

It was discovered that libvirt contained multiple race conditions in
block device handling. A remote read-only user could use this flaw to
cause libvirtd to crash, resulting in a denial of service.
(CVE-2013-6458)

Eric Blake discovered that libvirt incorrectly handled certain ACLs.
An attacker could use this flaw to possibly obtain certain sensitive
information. This issue only affected Ubuntu 13.10. (CVE-2014-0028)

Jiri Denemark discovered that libvirt incorrectly handled keepalives.
A remote attacker could possibly use this flaw to cause libvirtd to
crash, resulting in a denial of service. (CVE-2014-1447).

Solution :

Update the affected libvirt-bin and / or libvirt0 packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 72232 ()

Bugtraq ID: 64549
64723
64945
64963
65004

CVE ID: CVE-2013-6436
CVE-2013-6457
CVE-2013-6458
CVE-2014-0028
CVE-2014-1447