[Libvirt-announce] LSN-2014-0003: Unsafe parsing of XML documents allows arbitrary file read

Daniel P. Berrange berrange at redhat.com
Tue May 6 13:40:31 UTC 2014


        Libvirt Security Notice: LSN-2014-0003
        ======================================

       Summary: Unsafe parsing of XML documents allows arbitrary
                file read
   Reported on: 20140411
  Published on: 20140506
      Fixed on: 20140506
   Reported by: Daniel P. Berrange <berrange at redhat.com>
                Richard Jones <rjones at redhat.com>
    Patched by: Daniel P. Berrange <berrange at redhat.com>
      See also: CVE-2014-0179

Description
-----------

When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag
to libxml2 which instructs it to expand all entities in the XML
document during parsing. This can be used to insert the contents of
host OS files in the resulting parsed content. Although the flaw was
introduced in 0.0.5, it was dormant having no ill effects, since the
APIs involved all required the user to authenticate with privileges
equivalent to root. In version 0.7.5 or later the
virConnectCompareCPU / virConnectBaselineCPU methods activate the
dormant bug, allowing for denial of service. In version 1.0.0 or
later, if the admin opts in to using the new fine grained access
control feature, there is potential for unprivileged information
disclosure.

Impact
------

A malicious user can pass libvirt an XML document which contains an
entity that points to an arbitrary file on the host. When libvirt
parses this document, it will insert the contents of that host file,
which could allow the user to read the contents of files that they
otherwise do not have permission to view. It also has the potential
to cause a denial of service / indefinite hang of libvirt, if the
entity points to a named pipe with no writer connected or certain
proc files. If the libvirt installation is not using fine grained
access control then virConnectCompareCPU and virConnectBaselineCPU
APIs can be used by a read-only user to inflict a denial of service
attack. If the libvirt installation is using fine grained access
control, then as well as the denial of service attack, one or more
of the following APIs can be used for information disclosure of
files: virDomainDefineXML, virNetworkCreateXML, virNetworkDefineXML,
virStoragePoolCreateXML, virStoragePoolDefineXML,
virStorageVolCreateXML, virDomainCreateXML, virNodeDeviceCreateXML,
virInterfaceDefineXML, virStorageVolCreateXMLFrom,
virConnectDomainXMLFromNative, virConnectDomainXMLToNative,
virSecretDefineXML, virNWFilterDefineXML,
virDomainSnapshotCreateXML, virDomainSaveImageDefineXML,
virDomainCreateXMLWithFiles, virConnectCompareCPU,
virConnectBaselineCPU.

Workaround
----------

Stop use of the fine grained access control mechanism, and restrict
access to all the libvirt TCP/UNIX sockets to only trusted
authenticated users. Simply denying access to the affected APIs in
the access control policy is insufficient to mitigate the bug, since
the XML document typically needs to be parsed before the access
control check is applied in order to extra the UUID/name of the
object to check. Access to the readonly libvirt socket must also be
revoked

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v0.7.5
   Broken in: v0.7.6
   Broken in: v0.7.7
   Broken in: v0.8.0
   Broken in: v0.8.1
   Broken in: v0.8.2
   Broken in: v0.8.3
   Broken in: v0.8.4
   Broken in: v0.8.5
   Broken in: v0.8.6
   Broken in: v0.8.7
   Broken in: v0.8.8
   Broken in: v0.9.0
   Broken in: v0.9.1
   Broken in: v0.9.2
   Broken in: v0.9.3
   Broken in: v0.9.4
   Broken in: v0.9.5
   Broken in: v0.9.6
   Broken in: v0.9.7
   Broken in: v0.9.8
   Broken in: v0.9.9
   Broken in: v0.9.10
   Broken in: v0.9.11
   Broken in: v0.9.12
   Broken in: v0.9.13
   Broken in: v1.0.0
   Broken in: v1.0.1
   Broken in: v1.0.2
   Broken in: v1.0.3
   Broken in: v1.0.4
   Broken in: v1.0.5
   Broken in: v1.0.6
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: d6b27d3e4c40946efa79e91d134616b41b1666c4

      Branch: v0.9.6-maint
   Broken in: v0.9.6.1
   Broken in: v0.9.6.2
   Broken in: v0.9.6.3
   Broken in: v0.9.6.4
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
    Fixed by: be7a5de9d0c406f36efae3230e1743c613ad6945

      Branch: v0.9.11-maint
   Broken in: v0.9.11.1
   Broken in: v0.9.11.2
   Broken in: v0.9.11.3
   Broken in: v0.9.11.4
   Broken in: v0.9.11.5
   Broken in: v0.9.11.6
   Broken in: v0.9.11.7
   Broken in: v0.9.11.8
   Broken in: v0.9.11.9
   Broken in: v0.9.11.10
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833

      Branch: v0.9.12-maint
   Broken in: v0.9.12.1
   Broken in: v0.9.12.2
   Broken in: v0.9.12.3
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
    Fixed by: 022b34cee73f86b01724b5279cf626df9cca245f

      Branch: v1.0.5-maint
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken in: v1.0.5.8
   Broken in: v1.0.5.9
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
    Fixed by: 4410a83e18c1b41f1f5d3f10a0b648fc9304bc35

      Branch: v1.1.0-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 6f4eae73a0bf3e1c5e9597e4f9a8078cad69b1e3

      Branch: v1.1.1-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: cfc94140e5989c9f3cce0fdbb758730818cb2572

      Branch: v1.1.2-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 8fd2005cc0594742dc6cfab07a62f9774798a56d

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 46de45d079ae2622660fe147cf237ee617cc461c

      Branch: v1.1.4-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: e2b96d539f8a06e08cdf001627efe3f399db9c07

      Branch: v1.2.0-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 9b1d09377492a4ce92498abb7cf830d693bc661c

      Branch: v1.2.1-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 877388678a77bacf802f97de429b2b350b02eb41

      Branch: v1.2.2-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: ab07ebeb22b1d724999dc6eabc33cd6266de496f

      Branch: v1.2.3-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: a45368839fb898feb6b634df2bf337697155ea74

      Branch: v1.2.4-maint
   Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e
   Broken by: 387941fb626d9362835aa216b4a871e18268f649
   Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: a8480e2bc0d0b1c5cd98ff7424cace3e82db5ace


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the Libvirt-announce mailing list