RHSA-2013:1527 - Security Advisory

Topic

An updated rhev-hypervisor6 package that fixes multiple security issues and
one bug is now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization
Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
everything necessary to run and manage virtual machines: a subset of the
Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.

Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization
Hypervisor through the 3.2 Manager administration portal, the Host may
appear with the status of "Install Failed". If this happens, place the host
into maintenance mode, then activate it again to get the host back to an
"Up" state.

A buffer overflow flaw was found in the way QEMU processed the SCSI "REPORT
LUNS" command when more than 256 LUNs were specified for a single SCSI
target. A privileged guest user could use this flaw to corrupt QEMU process
memory on the host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2013-4344)

Multiple flaws were found in the way Linux kernel handled HID (Human
Interface Device) reports. An attacker with physical access to the system
could use this flaw to crash the system or, potentially, escalate their
privileges on the system. (CVE-2013-2888, CVE-2013-2889, CVE-2013-2892)

A flaw was found in the way the Python SSL module handled X.509 certificate
fields that contain a NULL byte. An attacker could potentially exploit this
flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that
to exploit this issue, an attacker would need to obtain a carefully crafted
certificate signed by an authority that the client trusts. (CVE-2013-4238)

The default OpenSSH configuration made it easy for remote attackers to
exhaust unauthorized connection slots and prevent other users from being
able to log in to a system. This flaw has been addressed by enabling random
early connection drops by setting MaxStartups to 10:30:100 by default.
For more information, refer to the sshd_config(5) man page. (CVE-2010-5107)

The CVE-2013-4344 issue was discovered by Asias He of Red Hat.

This updated package provides updated components that include fixes for
various security issues. These issues have no security impact on Red Hat
Enterprise Virtualization Hypervisor itself, however. The security fixes
included in this update address the following CVE numbers:

CVE-2012-0786 and CVE-2012-0787 (augeas issues)

CVE-2013-1813 (busybox issue)

CVE-2013-0221, CVE-2013-0222, and CVE-2013-0223 (coreutils issues)

CVE-2012-4453 (dracut issue)

CVE-2013-4332, CVE-2013-0242, and CVE-2013-1914 (glibc issues)

CVE-2013-4387, CVE-2013-0343, CVE-2013-4345, CVE-2013-4591, CVE-2013-4592,
CVE-2012-6542, CVE-2013-3231, CVE-2013-1929, CVE-2012-6545, CVE-2013-1928,
CVE-2013-2164, CVE-2013-2234, and CVE-2013-2851 (kernel issues)

CVE-2013-4242 (libgcrypt issue)

CVE-2013-4419 (libguestfs issue)

CVE-2013-1775, CVE-2013-2776, and CVE-2013-2777 (sudo issues)

This update also fixes the following bug:

• A previous version of the rhev-hypervisor6 package did not contain the

latest vhostmd package, which provides a "metrics communication channel"
between a host and its hosted virtual machines, allowing limited
introspection of host resource usage from within virtual machines. This has
been fixed, and rhev-hypervisor6 now includes the latest vhostmd package.
(BZ#1026703)

This update also contains the fixes from the following errata:

• ovirt-node: https://rhn.redhat.com/errata/RHBA-2013-1528.html

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to this updated package, which corrects these issues.

Solution

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

To upgrade Hypervisors in Red Hat Enterprise Virtualization environments
using the disk image provided by this package, refer to:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Enterprise_Virtualization_Hypervisors.html

Affected Products

• Red Hat Virtualization 6 x86_64

Fixes

• BZ - 908060 - rhev-hypervisor 6.5 release
• BZ - 908707 - CVE-2010-5107 openssh: Prevent connection slot exhaustion attacks
• BZ - 996381 - CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
• BZ - 999890 - CVE-2013-2889 Kernel: HID: zeroplus: heap overflow flaw
• BZ - 1000429 - CVE-2013-2892 Kernel: HID: pantherlord: heap overflow flaw
• BZ - 1000451 - CVE-2013-2888 Kernel: HID: memory corruption flaw
• BZ - 1007330 - CVE-2013-4344 qemu: buffer overflow in scsi_target_emulate_report_luns
• BZ - 1026703 - Latest vhostmd package is not built in

CVEs

• CVE-2013-2888
• CVE-2013-2892
• CVE-2013-4344
• CVE-2010-5107
• CVE-2013-2889
• CVE-2013-4238

References

• https://access.redhat.com/security/updates/classification/#important
• https://rhn.redhat.com/errata/RHBA-2013-1528.html
• https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Enterprise_Virtualization_Hypervisors.html