Vigil@nce - libvirt: denial of service via RPC
August 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A network attacker can send special queries to the libvirtd
daemon, in order to stop it, and possibly to execute code.
Severity: 2/4
Creation date: 01/08/2012
IMPACTED PRODUCTS
– openSUSE
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The libvirt library provides a standard interface on several
virtualization products (Xen, QEMU, KVM, etc.).
The libvirtd daemon provides a remote access to libvirt features.
The daemon/remote.c file implements RPC remote queries:
remoteDispatchDomainGetSchedulerParameters()
remoteDispatchDomainGetSchedulerParametersFlags()
remoteDispatchDomainBlockStatsFlags()
remoteDispatchDomainGetMemoryParameters()
remoteDispatchDomainGetNumaParameters()
remoteDispatchDomainGetBlkioParameters()
remoteDispatchDomainGetBlockIoTune()
remoteDispatchDomainGetInterfaceParameters()
These functions allocate a memory area to store parameters.
However, if there is no parameter, an invalid pointer is used. If
the memory contains the value 7 (VIR_TYPED_PARAM_STRING) an
unallocated memory area is then freed.
A network attacker can therefore send special queries to the
libvirtd daemon, in order to stop it, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libvirt-denial-of-service-via-RPC-11812