Vulnerability CVE-2011-2527

Vulnerability Name:

CVE-2011-2527 (CCN-68539)

Assigned:

2011-07-09

Published:

2011-07-09

Updated:

2020-11-02

Summary:

The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.

CVSS v3 Severity:

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

3.7 Low (REDHAT CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:P/A:P)
2.7 Low (REDHAT Temporal CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Gain Privileges

References:

Source: CCN
Type: QEMU Web page
QEMU

Source: MITRE
Type: CNA
CVE-2011-2527

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-8604

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:0207

Source: CCN
Type: RHSA-2011-1531
Moderate: qemu-kvm security, bug fix, and enhancement update

Source: REDHAT
Type: UNKNOWN
RHSA-2011:1531

Source: CCN
Type: SA45187
Qemu VirtIO virtqueue Request Handling Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
45187

Source: CCN
Type: SA45188
KVM qemu-kvm VirtIO virtqueue Request Handling Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
45188

Source: SECUNIA
Type: Vendor Advisory
45419

Source: SECUNIA
Type: Vendor Advisory
47157

Source: SECUNIA
Type: Vendor Advisory
47992

Source: UBUNTU
Type: UNKNOWN
USN-1177-1

Source: DEBIAN
Type: DSA-2282
qemu-kvm -- several vulnerabilities

Source: MLIST
Type: UNKNOWN
[oss-security] 20110712 Re: CVE Request: qemu -runas does not clear supplementary groups

Source: MLIST
Type: UNKNOWN
[oss-security] 20110712 CVE Request: qemu -runas does not clear supplementary groups

Source: OSVDB
Type: UNKNOWN
74752

Source: CCN
Type: OSVDB ID: 74752
qemu-kvm -runas Option Local Privilege Escalation

Source: BID
Type: UNKNOWN
48659

Source: CCN
Type: BID-48659
QEMU '-runas' Argument Local Security Bypass Vulnerability

Source: CCN
Type: QEMU Bug #807893
qemu privilege escalation

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/qemu/+bug/807893

Source: XF
Type: UNKNOWN
qemu-runas-priv-escalation(68539)

Source: XF
Type: UNKNOWN
qemu-runas-priv-escalation(68539)

Source: DEBIAN
Type: UNKNOWN
DSA-2282

Vulnerable Configuration:

Configuration 1:

cpe:/a:qemu:qemu:0.12.4:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.12.0:-:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.0:rc1:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.0:rc0:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.10.2:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.9.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.7.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.7.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.3.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.2.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.15.0:rc2:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.1.5:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.0-rc1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.13.0:rc1:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.13.0:rc0:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.12.0:rc2:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.12.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.0:-:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.10.5:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.9.1-5:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.9.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.6.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.6.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.13.0:-:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:*:*:*:*:*:*:*:* (Version <= 0.14.0)

OR cpe:/a:qemu:qemu:0.12.3:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.12.2:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.10.4:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.10.6:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.8.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.8.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.4.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.4.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.1.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.14.0:rc1:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.12.0:rc1:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.12.5:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.0:rc2:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.10.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.10.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.10.3:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.14.0:rc0:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.14.0:rc2:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.15.0:rc1:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.1.6:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.1.2:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.1.3:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.1.4:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.8.2:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.7.2:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.4.3:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.4.2:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.14.1:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.1.0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.0-rc0:*:*:*:*:*:*:*

OR cpe:/a:qemu:qemu:0.11.0-rc2:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:fabrice_bellard:qemu:0.8.2:*:*:*:*:*:*:*

OR cpe:/a:fabrice_bellard:qemu:0.8.2:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20112527	V	CVE-2011-2527	2022-05-20
oval:org.opensuse.security:def:33067	P	Security update for libqt4 (Important)	2021-12-22
oval:org.opensuse.security:def:33956	P	Security update for libcares2 (Important)	2021-08-16
oval:org.opensuse.security:def:33917	P	Security update for libwebp (Critical)	2021-06-02
oval:org.opensuse.security:def:32911	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:28875	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:32824	P	Security update for xen (Important)	2020-12-07
oval:org.opensuse.security:def:28649	P	Security update for CUPS	2020-12-01
oval:org.opensuse.security:def:32448	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:29230	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:33124	P	kdelibs4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28791	P	Security update for mysql (Moderate)	2020-12-01
oval:org.opensuse.security:def:32460	P	Security update for xorg-x11-libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:29904	P	Security update for KVM	2020-12-01
oval:org.opensuse.security:def:33212	P	nagios-plugins on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29027	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:32673	P	glibc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28439	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:33279	P	vino on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29130	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:28518	P	Security update for openssl1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:29186	P	Security update for mysql (Important)	2020-12-01
oval:org.opensuse.security:def:28734	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:32449	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:29868	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:33173	P	libpoppler-glib4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32538	P	kernel-default on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28438	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:33235	P	powerpc-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29081	P	Security update for dbus-1 (Important)	2020-12-01
oval:org.opensuse.security:def:32767	P	pcsc-lite on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28450	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:29169	P	Security update for mailman (Important)	2020-12-01
oval:org.mitre.oval:def:27567	P	ELSA-2011-1531 -- qemu-kvm security, bug fix, and enhancement update (moderate)	2014-12-15
oval:org.mitre.oval:def:26941	P	RHSA-2011:1531 -- qemu-kvm security, bug fix, and enhancement update (Moderate)	2014-12-08
oval:org.mitre.oval:def:12960	P	DSA-2282-1 qemu-kvm -- several	2014-07-21
oval:org.mitre.oval:def:14171	P	USN-1177-1 -- qemu-kvm vulnerability	2014-06-30
oval:com.redhat.rhsa:def:20111531	P	RHSA-2011:1531: qemu-kvm security, bug fix, and enhancement update (Moderate)	2011-12-06

BACK