Vigil@nce - libvirt: privilege escalation via Event Registration
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the Event Registration API of libvirt, in
order to escalate his privileges.
Impacted products: Fedora, Unix (platform)
Severity: 2/4
Creation date: 17/01/2014
DESCRIPTION OF THE VULNERABILITY
The libvirt library provides a standard interface on several
virtualization products (Xen, QEMU, KVM, etc.).
ACLs define allowed accesses for users. However, a user can call
the Event Registration API, in order to bypass ACLs.
An attacker can therefore use the Event Registration API of
libvirt, in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libvirt-privilege-escalation-via-Event-Registration-14107