CVE-2012-2693
low
CVSS v3
—
CVSS v2
3.7
VIR risk
3.7
Description
libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-2693
Vendor advisory: secalert@redhat.com — https://www.redhat.com/archives/libvir-list/2012-April/msg01494.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0.9.12-1 |
| debian | bullseye | fixed | 0.9.12-1 |
| debian | forky | fixed | 0.9.12-1 |
| debian | sid | fixed | 0.9.12-1 |
| debian | trixie | fixed | 0.9.12-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | libvirt | {"endIncluding":"0.9.11"} | |
| redhat | libvirt | 0.0.1 | |
| redhat | libvirt | 0.0.2 | |
| redhat | libvirt | 0.0.3 | |
| redhat | libvirt | 0.0.4 | |
| redhat | libvirt | 0.0.5 | |
| redhat | libvirt | 0.0.6 | |
| redhat | libvirt | 0.1.0 | |
| redhat | libvirt | 0.1.1 | |
| redhat | libvirt | 0.1.3 | |
| redhat | libvirt | 0.1.4 | |
| redhat | libvirt | 0.1.5 | |
| redhat | libvirt | 0.1.6 | |
| redhat | libvirt | 0.1.7 | |
| redhat | libvirt | 0.1.8 | |
| redhat | libvirt | 0.1.9 | |
| redhat | libvirt | 0.2.0 | |
| redhat | libvirt | 0.2.1 | |
| redhat | libvirt | 0.2.2 | |
| redhat | libvirt | 0.2.3 | |
| redhat | libvirt | 0.3.0 | |
| redhat | libvirt | 0.3.1 | |
| redhat | libvirt | 0.3.2 | |
| redhat | libvirt | 0.3.3 | |
| redhat | libvirt | 0.4.0 | |
| redhat | libvirt | 0.4.1 | |
| redhat | libvirt | 0.4.2 | |
| redhat | libvirt | 0.4.3 | |
| redhat | libvirt | 0.4.4 | |
| redhat | libvirt | 0.4.5 | |
| redhat | libvirt | 0.4.6 | |
| redhat | libvirt | 0.5.0 | |
| redhat | libvirt | 0.5.1 | |
| redhat | libvirt | 0.6.0 | |
| redhat | libvirt | 0.6.1 | |
| redhat | libvirt | 0.6.2 | |
| redhat | libvirt | 0.6.3 | |
| redhat | libvirt | 0.6.4 | |
| redhat | libvirt | 0.6.5 | |
| redhat | libvirt | 0.7.0 | |
| redhat | libvirt | 0.7.1 | |
| redhat | libvirt | 0.7.2 | |
| redhat | libvirt | 0.7.3 | |
| redhat | libvirt | 0.7.4 | |
| redhat | libvirt | 0.7.5 | |
| redhat | libvirt | 0.7.6 | |
| redhat | libvirt | 0.7.7 | |
| redhat | libvirt | 0.8.0 | |
| redhat | libvirt | 0.8.1 | |
| redhat | libvirt | 0.8.2 | |
| redhat | libvirt | 0.8.3 | |
| redhat | libvirt | 0.8.4 | |
| redhat | libvirt | 0.8.5 | |
| redhat | libvirt | 0.8.6 | |
| redhat | libvirt | 0.8.7 | |
| redhat | libvirt | 0.8.8 | |
| redhat | libvirt | 0.9.0 | |
| redhat | libvirt | 0.9.1 | |
| redhat | libvirt | 0.9.2 | |
| redhat | libvirt | 0.9.3 | |
| redhat | libvirt | 0.9.4 | |
| redhat | libvirt | 0.9.5 | |
| redhat | libvirt | 0.9.6 | |
| redhat | libvirt | 0.9.7 | |
| redhat | libvirt | 0.9.8 | |
| redhat | libvirt | 0.9.9 | |
| redhat | libvirt | 0.9.10 | |
References
- http://rhn.redhat.com/errata/RHSA-2012-0748.html
- http://rhn.redhat.com/errata/RHSA-2013-0127.html
- http://www.openwall.com/lists/oss-security/2012/06/11/2
- http://www.openwall.com/lists/oss-security/2012/06/11/3
- https://www.redhat.com/archives/libvir-list/2012-April/msg01494.html
- https://security-tracker.debian.org/tracker/CVE-2012-2693
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.