CVE-2017-1000256Improper Certificate Validation in Redhat Libvirt

CWE-295Improper Certificate Validation12 documents9 sources
Severity
8.1HIGHNVD
EPSS
0.9%
top 24.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat LibvirtDebian Linux
Timeline
PublishedOct 31
Latest updateMay 13

Description

libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

NVDredhat/libvirt2.3.03.9.0
Debianredhat/libvirt< 3.8.0-3+3

Also affects: Debian Linux 9.0

🔴Vulnerability Details

4
GHSA
GHSA-gq8m-rwgg-6vv3: libvirt version 22022-05-13
OSV
libvirt vulnerabilities2018-02-20
CVEList
CVE-2017-1000256: libvirt version 22017-10-31
OSV
CVE-2017-1000256: libvirt version 22017-10-31

📋Vendor Advisories

4
Ubuntu
libvirt vulnerabilities2018-02-20
Red Hat
libvirt: TLS certificate verification disabled for clients2017-10-16
Microsoft
libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default.2017-10-10
Debian
CVE-2017-1000256: libvirt - libvirt version 2.3.0 and later is vulnerable to a bad default configuration of ...2017

💬Community

3
Bugzilla
CVE-2017-1000256 mingw-libvirt: libvirt: TLS certificate verification disabled for clients [fedora-all]2017-10-18
Bugzilla
CVE-2017-1000256 libvirt: TLS certificate verification disabled for clients2017-10-18
Bugzilla
CVE-2017-1000256 libvirt: TLS certificate verification disabled for clients [fedora-all]2017-10-18
CVE-2017-1000256 — Improper Certificate Validation | cvebase