Updated libvirt packages fix security vulnerabilities
Publication date: 01 Mar 2018Modification date: 01 Mar 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-1000256 , CVE-2017-5715 , CVE-2018-5748 , CVE-2018-6764
Description
Updated libvirt packages fix security vulnerabilities: In virsh, the hostname could crafted maliciously with ssh arguments, which would be passed to ssh (bsc#1053600). The default_tls_x509_verify (and related) parameters in qemu.conf control whether the TLS servers in QEMU request & verify certificates from clients. This works as a simple access control system for QEMU servers by requiring the CA to issue certs to permitted clients. This use of client certificates is disabled by default, since it requires extra work to issue client certificates. Unfortunately the libvirt code was using these configuration parameters when setting up both TLS clients and servers in QEMU. The result was that TLS clients for character devices and disk devices had verification turned off, meaning they would ignore any errors while validating the server certificate (CVE-2017-1000256). An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks (CVE-2017-5715). qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply (CVE-2018-5748). It was discovered libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module (CVE-2018-6764).
References
- https://bugs.mageia.org/show_bug.cgi?id=22280
- https://security.libvirt.org/2017/0002.html
- https://lists.opensuse.org/opensuse-updates/2017-10/msg00018.html
- https://lists.opensuse.org/opensuse-updates/2017-10/msg00096.html
- https://access.redhat.com/errata/RHSA-2018:0029
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5748
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6764
SRPMS
6/core
- libvirt-3.10.0-1.1.mga6
- python-libvirt-3.10.0-1.mga6