Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-2527

Overview

Vulnerability Score 2.1 2.1
CVE Id CVE-2011-2527
Last Modified 26 Jun 2012 12:00:00
Published 21 Jun 2012 11:55:09
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector LOCAL
Access Complexity LOW
Authentication NONE

CVE-2011-2527

Summary

The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.

Vulnerable Systems

Application

  • Qemu 0.1

  • Qemu 0.1.1

  • Qemu 0.1.2

  • Qemu 0.1.3

  • Qemu 0.1.4

  • Qemu 0.1.5

  • Qemu 0.1.6

  • Qemu 0.10.0

  • Qemu 0.10.1

  • Qemu 0.10.2

  • Qemu 0.10.3

  • Qemu 0.10.4

  • Qemu 0.10.5

  • Qemu 0.10.6

  • Qemu 0.11.0

  • Qemu 0.11.0-rc0

  • Qemu 0.11.0-rc1

  • Qemu 0.11.0-rc2

  • Qemu 0.11.1

  • Qemu 0.12.0

  • Qemu 0.12.1

  • Qemu 0.12.2

  • Qemu 0.12.3

  • Qemu 0.12.4

  • Qemu 0.12.5

  • Qemu 0.13.0

  • Qemu 0.14.0

  • Qemu 0.14.1

  • Qemu 0.15.0

  • Qemu 0.2

  • Qemu 0.3

  • Qemu 0.4

  • Qemu 0.4.1

  • Qemu 0.4.2

  • Qemu 0.4.3

  • Qemu 0.6.0

  • Qemu 0.6.1

  • Qemu 0.7.0

  • Qemu 0.7.1

  • Qemu 0.7.2

  • Qemu 0.8.0

  • Qemu 0.8.1

  • Qemu 0.8.2

  • Qemu 0.9.0

  • Qemu 0.9.1

  • Qemu 0.9.1-5


References

CONFIRM - https://bugs.launchpad.net/qemu/+bug/807893

XF - qemu-runas-priv-escalation(68539)

BID - 48659

OSVDB - 74752

MLIST - [oss-security] 20110712 CVE Request: qemu -runas does not clear supplementary groups

MLIST - [oss-security] 20110712 Re: CVE Request: qemu -runas does not clear supplementary groups

UBUNTU - USN-1177-1

SECUNIA - 47992

SECUNIA - 47157

SECUNIA - 45419

SECUNIA - 45188

SECUNIA - 45187

REDHAT - RHSA-2011:1531

SUSE - openSUSE-SU-2012:0207

FEDORA - FEDORA-2012-8604

DEBIAN - DSA-2282

Related Patches

Novell SUSE 2012:5655 kvm security update for SLE 11 SP1 i586

Novell SUSE 2012:5655 kvm security update for SLE 11 SP1 x86_64


Last Updated: 27 May 2016 10:56:34