SB2013060403 - Permissions, Privileges, and Access Controls in qemu (Alpine package)
Published: June 4, 2013
Security Bulletin ID
SB2013060403
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-2007)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=8cedb270f0092677dc5f897a4632323d12c81787
- https://git.alpinelinux.org/aports/commit/?id=ef7cc55e6635a229f49ae024c7b4f92945b1aa2d
- https://git.alpinelinux.org/aports/commit/?id=563e2f3d73036c1b799204edd5a7742c90ee711d
- https://git.alpinelinux.org/aports/commit/?id=0a719315035072323f00ba0aadcf16849598923f
- https://git.alpinelinux.org/aports/commit/?id=3fe8d5a2ee5d338106f55639b69337377618e91b