USN-3576-1

RHSA-2018:3113

DSA-4137

[libvirt] 20180205 [PATCH] virlog: determine the hostname on startup CVE-2018-XXX

According to the versions of the libvirt packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - util/virlog.c in libvirt does not properly determine     the hostname on LXC container startup, which allows     local guest OS users to bypass an intended container     protection mechanism and execute arbitrary commands via     a crafted NSS module.(CVE-2018-6764)

  - qemu/qemu_monitor.c in libvirt allows attackers to     cause a denial of service (memory consumption) via a     large QEMU reply.(CVE-2018-5748)

  - libvirt version 2.3.0 and later is vulnerable to a bad     default configuration of 'verify-peer=no' passed to     QEMU by libvirt resulting in a failure to validate     SSL/TLS certificates by default. (CVE-2019-3840)

  - libvirt version 2.3.0 and later is vulnerable to a bad     default configuration of 'verify-peer=no' passed to     QEMU by libvirt resulting in a failure to validate     SSL/TLS certificates by default.(CVE-2017-1000256)

  - An incomplete fix for CVE-2018-5748 that affects QEMU     monitor leading to a resource exhaustion but now also     triggered via QEMU guest agent.(CVE-2018-1064)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libvirt packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - util/virlog.c in libvirt does not properly determine     the hostname on LXC container startup, which allows     local guest OS users to bypass an intended container     protection mechanism and execute arbitrary commands via     a crafted NSS module.(CVE-2018-6764)

  - qemu/qemu_monitor.c in libvirt allows attackers to     cause a denial of service (memory consumption) via a     large QEMU reply.(CVE-2018-5748)

  - libvirt version 2.3.0 and later is vulnerable to a bad     default configuration of 'verify-peer=no' passed to     QEMU by libvirt resulting in a failure to validate     SSL/TLS certificates by default.(CVE-2017-1000256)

  - An incomplete fix for CVE-2018-5748 that affects QEMU     monitor leading to a resource exhaustion but now also     triggered via QEMU guest agent.(CVE-2018-1064)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the libvirt packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - util/virlog.c in libvirt does not properly determine     the hostname on LXC container startup, which allows     local guest OS users to bypass an intended container     protection mechanism and execute arbitrary commands via     a crafted NSS module.(CVE-2018-6764)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.(CVE-2018-6764)

An update for libvirt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems.
In addition, libvirt provides tools for remote management of virtualized systems.

The following packages have been upgraded to a later upstream version:
libvirt (4.5.0). (BZ#1563169)

Security Fix(es) :

* libvirt: guest could inject executable code via libnss_dns.so loaded by libvirt_lxc before init (CVE-2018-6764)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Security Fix(es) :

  - libvirt: guest could inject executable code via     libnss_dns.so loaded by libvirt_lxc before init     (CVE-2018-6764)

From Red Hat Security Advisory 2018:3113 :

An update for libvirt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems.
In addition, libvirt provides tools for remote management of virtualized systems.

The following packages have been upgraded to a later upstream version:
libvirt (4.5.0). (BZ#1563169)

Security Fix(es) :

* libvirt: guest could inject executable code via libnss_dns.so loaded by libvirt_lxc before init (CVE-2018-6764)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

According to the versions of the libvirt packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - util/virlog.c in libvirt does not properly determine     the hostname on LXC container startup, which allows     local guest OS users to bypass an intended container     protection mechanism and execute arbitrary commands via     a crafted NSS module.(CVE-2018-6764)

  - qemu/qemu_monitor.c in libvirt allows attackers to     cause a denial of service (memory consumption) via a     large QEMU reply.(CVE-2018-5748)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libvirt packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An incomplete fix for CVE-2018-5748 that affects QEMU     monitor leading to a resource exhaustion but now also     triggered via QEMU guest agent.(CVE-2018-1064)

  - util/virlog.c in libvirt does not properly determine     the hostname on LXC container startup, which allows     local guest OS users to bypass an intended container     protection mechanism and execute arbitrary commands via     a crafted NSS module.(CVE-2018-6764)

  - qemu/qemu_monitor.c in libvirt allows attackers to     cause a denial of service (memory consumption) via a     large QEMU reply.(CVE-2018-5748)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libvirt and virt-manager fixes the following issues :

Security issues fixed :

  - CVE-2017-5715: Fixes for speculative side channel     attacks aka 'SpectreAttack' (var2) (bsc#1079869).

  - CVE-2018-6764: Fixed guest executable code injection via     libnss_dns.so loaded by libvirt_lxc before init     (bsc#1080042).

  - CVE-2018-1064: Fixed denial of service when reading from     guest agent (bsc#1083625).

Non-security issues fixed in libvirt :

  - bsc#1070615: Fixed TPM device passthrough failure on     kernels >= 4.0.

  - bsc#1082041: SUSE Linux Enterprise 11 SP4 hvm converted     to pvhvm. Unless vm memory is on gig boundary, vm won't     boot.

  - bsc#1082161: Unable to change RTC basis or adjustment     for Xen HVM guests using libvirt.

Non-security issues fixed in virt-manager :

  - bsc#1086038: VM guests cannot be properly installed with     virt-install

  - bsc#1067018: KVM Guest creation failed - Property .cmt     not found

  - bsc#1054986: Fix openSUSE 15.0 detection. It has no     content file or .treeinfo file

  - bsc#1085757: Fallback to latest version of openSUSE when     opensuse-unknown is detected for the ISO

This update was imported from the SUSE:SLE-12-SP3:Update update project.

This update for libvirt and virt-manager fixes the following issues:
Security issues fixed :

  - CVE-2017-5715: Fixes for speculative side channel     attacks aka 'SpectreAttack' (var2) (bsc#1079869).

  - CVE-2018-6764: Fixed guest executable code injection via     libnss_dns.so loaded by libvirt_lxc before init     (bsc#1080042).

  - CVE-2018-1064: Fixed denial of service when reading from     guest agent (bsc#1083625). Non-security issues fixed in     libvirt :

  - bsc#1070615: Fixed TPM device passthrough failure on     kernels >= 4.0.

  - bsc#1082041: SUSE Linux Enterprise 11 SP4 hvm converted     to pvhvm. Unless vm memory is on gig boundary, vm won't     boot.

  - bsc#1082161: Unable to change RTC basis or adjustment     for Xen HVM guests using libvirt. Non-security issues     fixed in virt-manager :

  - bsc#1086038: VM guests cannot be properly installed with     virt-install

  - bsc#1067018: KVM Guest creation failed - Property .cmt     not found

  - bsc#1054986: Fix openSUSE 15.0 detection. It has no     content file or .treeinfo file

  - bsc#1085757: Fallback to latest version of openSUSE when     opensuse-unknown is detected for the ISO

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201804-07 (libvirt: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libvirt. Please review       the CVE identifiers referenced below for details.
  Impact :

    A local privileged attacker could execute arbitrary commands or cause a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

This update for libvirt fixes the following issues: Security issues fixed :

  - CVE-2017-5715: Fixes for speculative side channel     attacks aka 'SpectreAttack' (var2) (bsc#1079869).

  - CVE-2018-6764: Fixed guest executable code injection via     libnss_dns.so loaded by libvirt_lxc before init     (bsc#1080042).

  - CVE-2018-1064: Fixed denial of service when reading from     guest agent (bsc#1083625). Non-security issues fixed :

  - Error starting domain: internal error: No usable sysfs     TPM cancel file could be found (bsc#1078808).

  - SUSE Linux Enterprise 11 SP4 hvm converted to pvhvm.
    Unless vm memory is on gig boundary, vm won't boot     (bsc#1082041).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library :

  - CVE-2018-1064     Daniel Berrange discovered that the QEMU guest agent     performed insufficient validation of incoming data,     which allows a privileged user in the guest to exhaust     resources on the virtualisation host, resulting in     denial of service.

  - CVE-2018-5748     Daniel Berrange and Peter Krempa discovered that the     QEMU monitor was susceptible to denial of service by     memory exhaustion. This was already fixed in Debian     stretch and only affects Debian jessie.

  - CVE-2018-6764     Pedro Sampaio discovered that LXC containers detected     the hostname insecurely. This only affects Debian     stretch.

Vivian Zhang and Christoph Anton Mitterer discovered that libvirt incorrectly disabled password authentication when the VNC password was set to an empty string. A remote attacker could possibly use this issue to bypass authentication, contrary to expectations. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5008)

Daniel P. Berrange discovered that libvirt incorrectly handled validating SSL/TLS certificates. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 17.10. (CVE-2017-1000256)

Daniel P. Berrange and Peter Krempa discovered that libvirt incorrectly handled large QEMU replies. An attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. (CVE-2018-5748)

Pedro Sampaio discovered that libvirt incorrectly handled the libnss_dns.so module. An attacker in a libvirt_lxc session could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-6764).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124959	EulerOS Virtualization 3.0.1.0 : libvirt (EulerOS-SA-2019-1456)	Nessus	Huawei Local Security Checks	medium
124897	EulerOS Virtualization for ARM 64 3.0.1.0 : libvirt (EulerOS-SA-2019-1394)	Nessus	Huawei Local Security Checks	medium
124441	EulerOS 2.0 SP3 : libvirt (EulerOS-SA-2019-1314)	Nessus	Huawei Local Security Checks	medium
123618	EulerOS 2.0 SP5 : libvirt (EulerOS-SA-2019-1144)	Nessus	Huawei Local Security Checks	medium
123592	EulerOS 2.0 SP2 : libvirt (EulerOS-SA-2019-1118)	Nessus	Huawei Local Security Checks	medium
119788	Amazon Linux 2 : libvirt (ALAS-2018-1134)	Nessus	Amazon Linux Local Security Checks	medium
119692	CentOS 7 : libvirt (CESA-2018:3113)	Nessus	CentOS Local Security Checks	medium
119193	Scientific Linux Security Update : libvirt on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	medium
118773	Oracle Linux 7 : libvirt (ELSA-2018-3113)	Nessus	Oracle Linux Local Security Checks	medium
118530	RHEL 7 : libvirt (RHSA-2018:3113)	Nessus	Red Hat Local Security Checks	medium
117585	EulerOS Virtualization 2.5.0 : libvirt (EulerOS-SA-2018-1277)	Nessus	Huawei Local Security Checks	medium
117562	EulerOS Virtualization 2.5.1 : libvirt (EulerOS-SA-2018-1253)	Nessus	Huawei Local Security Checks	medium
109020	openSUSE Security Update : libvirt (openSUSE-2018-358) (Spectre)	Nessus	SuSE Local Security Checks	medium
109012	SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2018:0920-1) (Spectre)	Nessus	SuSE Local Security Checks	medium
108928	GLSA-201804-07 : libvirt: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
108827	SUSE SLED12 / SLES12 Security Update : libvirt (SUSE-SU-2018:0861-1) (Spectre)	Nessus	SuSE Local Security Checks	medium
108346	Debian DSA-4137-1 : libvirt - security update	Nessus	Debian Local Security Checks	medium
106928	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : libvirt vulnerabilities (USN-3576-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2018-6764

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins