CVE-2013-1922

Published: 15 April 2013

qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.

Priority

Low

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(1.5.0+dfsg-3ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1.5.0+dfsg-3ubuntu2)
Patches:
Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=e6b636779b51c97e67694be740ee972c52460c59
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=e6b636779b51c97e67694be740ee972c52460c59

Notes

AuthorNote
jdstrand
attack is: privileged attacker in the guest that uses a raw image
writes data to beginning of device. Later, someone on the host uses qemu-nbd
on the attacker-modified image. When the guest is rebooted, the attacker may
have access to other files.
On Ubuntu, the preferred virtualization management technology is
libvirt. As of USN-1008-1, libvirt does not probe the disk format, which
reduces this attack to a denial of server for the guest (ie, the
attacker-modified image is not usable on reboot).
TODO: review use in nova
mdeslaur
patch just introduced new --format option. Default behaviour is
still to autodetect. Adding this new option doesn't fix the
issue by itself, so marking as "low"
We will not be fixing this issue in Ubuntu 12.04 LTS.

References

Bugs