CVE-2024-4418

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:4351
https://access.redhat.com/errata/RHSA-2024:4432
https://access.redhat.com/errata/RHSA-2024:4757
https://access.redhat.com/security/cve/CVE-2024-4418
https://bugzilla.redhat.com/show_bug.cgi?id=2278616
https://access.redhat.com/errata/RHSA-2024:4351
https://access.redhat.com/errata/RHSA-2024:4432
https://access.redhat.com/errata/RHSA-2024:4757
https://access.redhat.com/security/cve/CVE-2024-4418
https://bugzilla.redhat.com/show_bug.cgi?id=2278616
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/

Configurations

No configuration.

History

21 Nov 2024, 09:42

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/ -
References	~~() https://access.redhat.com/errata/RHSA-2024:4351 -~~	() https://access.redhat.com/errata/RHSA-2024:4351 -
References	~~() https://access.redhat.com/errata/RHSA-2024:4432 -~~	() https://access.redhat.com/errata/RHSA-2024:4432 -
References	~~() https://access.redhat.com/errata/RHSA-2024:4757 -~~	() https://access.redhat.com/errata/RHSA-2024:4757 -
References	~~() https://access.redhat.com/security/cve/CVE-2024-4418 -~~	() https://access.redhat.com/security/cve/CVE-2024-4418 -
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2278616 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2278616 -

13 Sep 2024, 22:15

Type	Values Removed	Values Added
References	~~{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/', 'source': 'secalert@redhat.com'}~~

23 Jul 2024, 22:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4757 -

09 Jul 2024, 17:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4432 -

08 Jul 2024, 05:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4351 -

21 Jun 2024, 02:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/ -

11 Jun 2024, 04:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/ -

08 May 2024, 13:15

Type	Values Removed	Values Added
Summary		(es) Se encontró en libvirt una condición de ejecución que conducía a una falla de use-after-free de la pila. Debido a una mala suposición en el método virNetClientIOEventLoop(), el puntero de `datos` a una estructura virNetClientIOEventData asignada a la pila terminó usándose en la devolución de llamada de virNetClientIOEventFD mientras el marco de pila del puntero de datos se "liberaba" simultáneamente al regresar de virNetClientIOEventLoop() . El daemon 'virtproxyd' se puede utilizar para activar solicitudes. Si libvirt está configurado con un control de acceso detallado, este problema, en teoría, permite al usuario escapar de su acceso, que de otro modo sería limitado. Esta falla permite que un usuario local sin privilegios acceda a virtproxyd sin autenticarse. Los usuarios remotos tendrían que autenticarse antes de poder acceder a él.

08 May 2024, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-08 03:15

Updated : 2024-11-21 09:42

NVD link : CVE-2024-4418

Mitre link : CVE-2024-4418

CVE.ORG link : CVE-2024-4418

JSON object : View

Products Affected

No product.

CWE

CWE-416

Use After Free

6.2 /10