Updated libvirt packages fix security vulnerabilities
Publication date: 01 Mar 2018Modification date: 01 Mar 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-1000256 , CVE-2017-5715 , CVE-2018-5748 , CVE-2018-6764
Description
Updated libvirt packages fix security vulnerabilities:
In virsh, the hostname could crafted maliciously with ssh arguments, which would
be passed to ssh (bsc#1053600).
The default_tls_x509_verify (and related) parameters in qemu.conf control
whether the TLS servers in QEMU request & verify certificates from clients. This
works as a simple access control system for QEMU servers by requiring the CA to
issue certs to permitted clients. This use of client certificates is disabled by
default, since it requires extra work to issue client certificates.
Unfortunately the libvirt code was using these configuration parameters when
setting up both TLS clients and servers in QEMU. The result was that TLS clients
for character devices and disk devices had verification turned off, meaning they
would ignore any errors while validating the server certificate
(CVE-2017-1000256).
An industry-wide issue was found in the way many modern microprocessor designs
have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant
CVE-2017-5715 triggers the speculative execution by utilizing branch target
injection. It relies on the presence of a precisely-defined instruction sequence
in the privileged code as well as the fact that memory accesses may cause
allocation into the microprocessor's data cache even for speculatively executed
instructions that never actually commit (retire). As a result, an unprivileged
attacker could use this flaw to cross the syscall and guest/host boundaries and
read privileged memory by conducting targeted cache side-channel attacks
(CVE-2017-5715).
qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service
(memory consumption) via a large QEMU reply (CVE-2018-5748).
It was discovered libvirt does not properly determine the hostname on LXC
container startup, which allows local guest OS users to bypass an intended
container protection mechanism and execute arbitrary commands via a crafted NSS
module (CVE-2018-6764).
References
- https://bugs.mageia.org/show_bug.cgi?id=22280
- https://security.libvirt.org/2017/0002.html
- https://lists.opensuse.org/opensuse-updates/2017-10/msg00018.html
- https://lists.opensuse.org/opensuse-updates/2017-10/msg00096.html
- https://access.redhat.com/errata/RHSA-2018:0029
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5748
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6764
SRPMS
6/core
- libvirt-3.10.0-1.1.mga6
- python-libvirt-3.10.0-1.mga6