Permissions, Privileges, and Access Controls in QEMU - CVE-2013-2007
Published: May 21, 2013 / Updated: July 28, 2020
Vulnerability identifier: #VU32665
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-2007
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: QEMU
Affected software:
QEMU
QEMU
Detailed vulnerability description
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.
How to mitigate CVE-2013-2007
Install update from vendor's website.
Sources
- http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67
- http://lists.opensuse.org/opensuse-updates/2013-07/msg00057.html
- http://osvdb.org/93032
- http://rhn.redhat.com/errata/RHSA-2013-0791.html
- http://rhn.redhat.com/errata/RHSA-2013-0896.html
- http://secunia.com/advisories/53325
- http://www.openwall.com/lists/oss-security/2013/05/06/5
- http://www.securityfocus.com/bid/59675
- http://www.securitytracker.com/id/1028521
- https://bugzilla.redhat.com/show_bug.cgi?id=956082
- https://exchange.xforce.ibmcloud.com/vulnerabilities/84047