FreeBSD : libvirt -- ACL bypass using ../ to access beyond storage pool (f714b4c9-a6c1-11e5-88d7-047d7b492d07)

Low Nessus Plugin ID 87515


The remote FreeBSD host is missing one or more security-related updates.


Libvit development team reports :

Various virStorageVol* API operate on user-supplied volume names by concatenating the volume name to the pool location. Note that the virStoragePoolListVolumes API, when used on a storage pool backed by a directory in a file system, will only list volumes immediately in that directory (there is no traversal into subdirectories). However, other APIs such as virStorageVolCreateXML were not checking if a potential volume name represented one of the volumes that could be returned by virStoragePoolListVolumes; because they were not rejecting the use of '/' in a volume name.

Because no checking was done on volume names, a user could supply a potential volume name of something like '../../../etc/passwd' to attempt to access a file not belonging to the storage pool. When fine-grained Access Control Lists (ACL) are in effect, a user with storage_vol:create ACL permission but lacking domain:write permission could thus abuse virStorageVolCreateXML and similar APIs to gain access to files not normally permitted to that user. Fortunately, it appears that the only APIs that could leak information or corrupt files require read-write connection to libvirtd; and when ACLs are not in use (the default without any further configuration), a user with read-write access can already be considered to have full access to the machine, and without an escalation of privilege there is no security problem.


Update the affected packages.

See Also

Plugin Details

Severity: Low

ID: 87515

File Name: freebsd_pkg_f714b4c9a6c111e588d7047d7b492d07.nasl

Version: $Revision: 2.4 $

Type: local

Published: 2015/12/21

Modified: 2017/07/05

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 1.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:N


Base Score: 2.5

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:libvirt, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2015/12/20

Vulnerability Publication Date: 2015/10/30

Reference Information

CVE: CVE-2015-5313