SB2013041805 - Permissions, Privileges, and Access Controls in xen (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-1922)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=695a72617ae53a60aaefe8567f3e245882e5d6b8
• https://git.alpinelinux.org/aports/commit/?id=6665cdadf07a7dc49d8e128fc8cdd368751c2bef
• https://git.alpinelinux.org/aports/commit/?id=8c7a03b0e4c14ef5142e44a733ef2b39816c1d18