Vigil@nce: libvirt, creation of iptables rules
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When libvirt is used to create a network with forward in bridge
mode, useless iptables rules are added.
– Severity: 2/4
– Creation date: 10/01/2012
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The libvirt library provides a standard interface on several
virtualization products (Xen, QEMU, KVM, etc.).
Libvirt can be used to configure an interface with Forward (packet
forwarding), according to several modes:
– NAT translation
– routing
– bridge
Depending on the mode, iptables firewall rules can be added to the
FORWARD chain. However, in bridge mode, no rules are needed. Added
rules allow exchanges on the "virbrX" bridge interface.
When libvirt is used to create a network with forward in bridge
mode, useless iptables rules are therefore added.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libvirt-creation-of-iptables-rules-11265