CVE-2024-2494: Libvirt RPC Library API Flaw Exposes Denial of Service Vulnerability

A critical flaw, identified as CVE-2024-2494, has been discovered in the Remote Procedure Call (RPC) library APIs of libvirt, a popular open-source virtualization library. This vulnerability can be potentially exploited by an unprivileged local attacker to perform a Denial of Service (DoS) attack, resulting in the crash of the libvirt daemon. This blog post provides an in-depth analysis of the flaw, code snippets demonstrating the issue, and links to original references related to this vulnerability.

Original References

- CVE-2024-2494 in the official CVE database
- Libvirt Security Advisory
- Patch for libvirt

Vulnerability Details

The flaw lies in the RPC server deserialization code, specifically in the handling of arrays. Before allocating memory for arrays, a non-negative length check should be performed by the C API entry points. However, this check is bypassed, allowing negative length values to pass through.

When a negative length value is passed to the g_new function, the negative number is treated as a very large positive number, which results in the allocation of a huge amount of memory and an eventual crash of the libvirt daemon.

Here's a code snippet that demonstrates the issue

// Vulnerable RPC server deserialization code
static void
virNetMessageDecodeLength(virNetMessage *msg)
{
    int ret;

    // The length check is bypassed
    ret = virNetMessageDecodeNum(msg, &msg->bufferLength);

    // The negative length value is incorrectly treated as a huge
    // positive number, leading to a crash
    msg->buffer = g_new(char, msg->bufferLength);

    // ...
}

Under normal circumstances, the length value for an array should always be non-negative. However, due to the issue in the deserialization code, a negative value can slip through. This leads to the aforementioned vulnerability, where an attacker can exploit this flaw to launch a Denial of Service attack.

Exploit Details

To take advantage of this vulnerability, a local attacker can craft and send a malicious RPC request with a negative length value. This malformed request will trigger the bug and cause the libvirt daemon to crash, thereby achieving a Denial of Service.

Due to the flaw in the deserialization code, the length check is bypassed.

4. The negative length value is treated as a huge positive number, and a large amount of memory is allocated.

Conclusion

The CVE-2024-2494 vulnerability in the RPC library APIs of libvirt is a critical flaw that allows an unprivileged local attacker to perform a denial of service attack. It is highly recommended to apply the available security patches and updates to the affected libvirt installations in order to mitigate the risk posed by this flaw.

Timeline

Published on: 03/21/2024 14:15:10 UTC
Last modified on: 04/01/2024 13:17:05 UTC