Permissions, Privileges, and Access Controls in Xen - CVE-2013-1922
Published: May 14, 2013 / Updated: July 28, 2020
Vulnerability identifier: #VU32687
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-1922
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Xen Project
Affected software:
Xen
Xen
Detailed vulnerability description
The vulnerability allows a local non-authenticated attacker to read and manipulate data.
qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.
How to mitigate CVE-2013-1922
Install update from vendor's website.
Sources
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/103621.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/103637.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/104036.html
- http://secunia.com/advisories/55082
- http://security.gentoo.org/glsa/glsa-201309-24.xml
- http://www.openwall.com/lists/oss-security/2013/04/15/3
- http://www.openwall.com/lists/oss-security/2013/04/16/2
- http://www.securitytracker.com/id/1028426