News
Vigil@nce: libvirt, creation of iptables rules
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When libvirt is used to create a network with forward in bridge mode, useless iptables rules are added.
Severity: 2/4
Creation date: 10/01/2012
IMPACTED PRODUCTS
Fedora
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The libvirt library provides a standard interface on several virtualization products (Xen, QEMU, KVM, etc.).
Libvirt can be used to configure an interface with Forward (packet
forwarding), according to several modes:
NAT translation
routing
bridge
Depending on the mode, iptables firewall rules can be added to the FORWARD chain. However, in bridge mode, no rules are needed. Added rules allow exchanges on the "virbrX" bridge interface.
When libvirt is used to create a network with forward in bridge mode, useless iptables rules are therefore added.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
