Debian DSA-3613-1 : libvirt - security update

critical Nessus Plugin ID 91924

Synopsis

The remote Debian host is missing a security-related update.

Description

Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC password does not work as documented in Libvirt, a virtualisation abstraction library. When the password on a VNC server is set to the empty string, authentication on the VNC server will be disabled, allowing any user to connect, despite the documentation declaring that setting an empty password for the VNC server prevents all client connections. With this update the behaviour is enforced by setting the password expiration to 'now'.

Solution

Upgrade the libvirt packages.

For the stable distribution (jessie), this problem has been fixed in version 1.2.9-9+deb8u3.

See Also

https://packages.debian.org/source/jessie/libvirt

https://www.debian.org/security/2016/dsa-3613

Plugin Details

Severity: Critical

ID: 91924

File Name: debian_DSA-3613.nasl

Version: 2.10

Type: local

Agent: unix

Published: 7/5/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libvirt, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 7/2/2016

Reference Information

CVE: CVE-2016-5008

DSA: 3613