libvirt Vulnerabilities

libvirt is an open source API, daemon and management tool for managing platform virtualization. It can be used to manage KVM, Xen, VMware ESX, QEMU and other virtualization technologies. These APIs are widely used in the orchestration layer of hypervisors in the development of a cloud-based solution.

Some of the major libvirt features are:

VM management: Various domain lifecycle operations such as start, stop, pause, save, restore, and migrate.
Remote machine support: All libvirt functionality is accessible on any machine running the libvirt daemon, including remote machines.
Storage management: Any host running the libvirt daemon can be used to manage various types of storage: create file images of various formats (qcow2, vmdk, raw, …), mount NFS shares, enumerate existing LVM volume groups, create new LVM volume groups and logical volumes, partition raw disk devices, …etc
Network interface management: Any host running the libvirt daemon can be used to manage physical and logical network interfaces.
Virtual NAT and Route based networking: Any host running the libvirt daemon can manage and create virtual networks.

Daniel P. Berrange and Richard Jones discovered that libvirt incorrectly
handled XML documents containing XML external entity declarations. An
attacker could use this issue to cause libvirtd to crash, resulting in a
denial of service on all affected releases, or possibly read arbitrary
files if fine grained access control was enabled on Ubuntu 14.04 LTS.

Luyao Huang discovered that libvirt incorrectly handled certain blkiotune
queries. An attacker could use this issue to cause libvirtd to crash,
resulting in a denial of service. This issue only applied to Ubuntu 12.04
LTS and Ubuntu 14.04 LTS.

You are using libvirt if you manage virtual machines using virsh, virt-manager, or virt-install (pretty much any virtualization tool that starts with virt-*). If you are using hypervisor specific tools like ‘xm’, ‘qemu-kvm’, etc. directly, you probably are not using libvirt. If you have virtual machines on your existing machine and you are using libvirt, ‘virsh list –all’ (usually run as root) should show something.

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
libvirt0 1.2.2-0ubuntu13.1.5
libvirt-bin 1.2.2-0ubuntu13.1.5
Ubuntu 12.04 LTS:
libvirt0 0.9.8-2ubuntu17.20
libvirt-bin 0.9.8-2ubuntu17.20
Ubuntu 10.04 LTS:
libvirt0 0.7.5-5ubuntu27.25
libvirt-bin 0.7.5-5ubuntu27.25

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s