Advisories ยป MGASA-2018-0153

Updated libvirt packages fix security vulnerabilities

Publication date: 01 Mar 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-1000256 , CVE-2017-5715 , CVE-2018-5748 , CVE-2018-6764


Updated libvirt packages fix security vulnerabilities:

In virsh, the hostname could crafted maliciously with ssh arguments, which would 
be passed to ssh (bsc#1053600).

The default_tls_x509_verify (and related) parameters in qemu.conf control 
whether the TLS servers in QEMU request & verify certificates from clients. This 
works as a simple access control system for QEMU servers by requiring the CA to 
issue certs to permitted clients. This use of client certificates is disabled by 
default, since it requires extra work to issue client certificates. 
Unfortunately the libvirt code was using these configuration parameters when 
setting up both TLS clients and servers in QEMU. The result was that TLS clients 
for character devices and disk devices had verification turned off, meaning they 
would ignore any errors while validating the server certificate 

An industry-wide issue was found in the way many modern microprocessor designs 
have implemented speculative execution of instructions (a commonly used 
performance optimization). There are three primary variants of the issue which 
differ in the way the speculative execution can be exploited. Variant 
CVE-2017-5715 triggers the speculative execution by utilizing branch target 
injection. It relies on the presence of a precisely-defined instruction sequence 
in the privileged code as well as the fact that memory accesses may cause 
allocation into the microprocessor's data cache even for speculatively executed 
instructions that never actually commit (retire). As a result, an unprivileged 
attacker could use this flaw to cross the syscall and guest/host boundaries and 
read privileged memory by conducting targeted cache side-channel attacks 

qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service 
(memory consumption) via a large QEMU reply (CVE-2018-5748).

It was discovered libvirt does not properly determine the hostname on LXC 
container startup, which allows local guest OS users to bypass an intended 
container protection mechanism and execute arbitrary commands via a crafted NSS 
module (CVE-2018-6764).