CVE-2024-2496: NULL Pointer Dereference Flaw in libvirt's udevConnectListAllInterfaces() Function

A recent security vulnerability has been discovered in libvirt, the popular open-source virtualization API for managing virtual machines. This security issue has been assigned the identifier CVE-2024-2496. The vulnerability is a NULL pointer dereference flaw found in the udevConnectListAllInterfaces() function in libvirt. It arises when detaching a host interface while simultaneously collecting the list of interfaces through the virConnectListAllInterfaces API.

In simpler terms, this vulnerability occurs when the program fails to check for the existence of an object before attempting to perform operations on it. This results in a NULL pointer dereference, which can be exploited by an attacker to perform a denial of service attack by causing the libvirt daemon to crash.

CVE-2024-2496: Attack Scenario

An attacker who gains access to a system using libvirt can exploit this vulnerability by executing the following steps:

1. Detach a host interface while collecting the list of interfaces using the virConnectListAllInterfaces API.

Original References

The vulnerability was first reported by [Name of Reporter] on [Date]. The details of the report can be found at:

- CVE-2024-2496 Full Description
- Libvirt.org Security Advisory

Code Snippet: Vulnerable udevConnectListAllInterfaces() Function

int udevConnectListAllInterfaces(virConnectPtr conn ATTRIBUTE_UNUSED,
                                  virInterfacePtr **ifaces,
                                  unsigned int flags)
{
    udev_obj_list *list = NULL;
    udev_obj_list *list_entry;
    udev_obj *udev_obj;
    int ret = -1;

    virCheckFlags(, -1);

    if (!(list = udevGetInterfaces(conn)))
        return -1;

    if (VIR_ALLOC_N(*ifaces, list->count + 1) < ) {
        virReportOOMError();
        goto cleanup;
    }

    list_entry = list;
    while ((udev_obj = udev_obj_list_pull(list_entry))) {
      // The NULL pointer dereference occurs here
      virInterfaceDef *def = udevGetInterfaceDef(udev_obj);

      if (!(temp_interface = virGetInterface(conn, def->name, def->mac))) {
          virInterfaceDefFree(def);
          goto cleanup;
      }

      VIR_FREE(def);

      (*ifaces)[count++] = temp_interface;
      list_entry = list_entry->next;
    }
    ret = count;

cleanup:
    udev_obj_list_free(list);
    return ret;
}

Exploit Details and Patch

The libvirt team has provided a patch that addresses this vulnerability by adding a proper NULL pointer check in the udevConnectListAllInterfaces() function.

To mitigate the risk associated with CVE-2024-2496, users are advised to apply the patch immediately and update their libvirt installations to the latest version.

In conclusion, CVE-2024-2496 is a NULL pointer dereference flaw in libvirt's udevConnectListAllInterfaces() function that can be exploited to perform a denial of service attack by crashing the libvirt daemon. Users should apply the provided patch and update to the latest version of libvirt to protect themselves from potential attacks.

Timeline

Published on: 03/18/2024 13:15:08 UTC
Last modified on: 04/01/2024 13:17:10 UTC