CVE-2013-1922
Published: 15 April 2013
qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.
Priority
Low
Status
| Package | Release | Status |
|---|---|---|
|
qemu Launchpad, Ubuntu, Debian |
Upstream |
Needed
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(1.5.0+dfsg-3ubuntu2)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(1.5.0+dfsg-3ubuntu2)
|
|
|
Patches: Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=e6b636779b51c97e67694be740ee972c52460c59 |
||
|
qemu-kvm Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=e6b636779b51c97e67694be740ee972c52460c59 |
||
Notes
| Author | Note |
|---|---|
| jdstrand | attack is: privileged attacker in the guest that uses a raw image writes data to beginning of device. Later, someone on the host uses qemu-nbd on the attacker-modified image. When the guest is rebooted, the attacker may have access to other files. On Ubuntu, the preferred virtualization management technology is libvirt. As of USN-1008-1, libvirt does not probe the disk format, which reduces this attack to a denial of server for the guest (ie, the attacker-modified image is not usable on reboot). TODO: review use in nova |
| mdeslaur | patch just introduced new --format option. Default behaviour is still to autodetect. Adding this new option doesn't fix the issue by itself, so marking as "low" We will not be fixing this issue in Ubuntu 12.04 LTS. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1922
- http://www.openwall.com/lists/oss-security/2013/04/15/3
- NVD
- Launchpad
- Debian