[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvirt-announce] LSN-2015-0003: CVE-2015-5247 denial of service through root-squash NFS storage pools



        Libvirt Security Notice: LSN-2015-0003
        ======================================

       Summary: denial of service through root-squash NFS storage
                pools
   Reported on: 20150814
  Published on: 20150903
      Fixed on: 20150903
   Reported by: Han Han <hhan redhat com>
    Patched by: John Ferlan <jferlan redhat com>
      See also: CVE-2015-5247

Description
-----------

The virStorageVolCreateXML API had a bug where it could create a
volume on a root-squash NFS mount, but then fail to remove that
volume if later steps during the API encountered problems. This was
further compounded by code which used a wrong conditional on whether
the new volume needed to have permissions changed, making it more
likely to trigger the failed unlink attempt. Poor error handling
after a failed unlink left libvirt with an inconsistent view of the
storage volume that could then result in a libvirtd crash. While the
libvirtd crash might be delayed until by subsequent actions from a
read-only connection, the conditions that set up the crash can only
be triggered by a client with a read-write connection.

Impact
------

When using fine-grained Access Control Lists (ACL), the
virStorageVolCreateXML API only requires the storage_vol:create
permission. A client with this privilege but lacking the
more-powerful domain:write permission could exploit the API bugs to
cause a denial-of-service attack by taking down libvirtd through a
crash. It can also be argued that the ability to cause libvirt to
create files which it cannot delete can be used as a
denial-of-service attack on storage resources.

Workaround
----------

The problems with libvirt creating a file which it does not then
clean up on error is specific to root-squash NFS, so one mitigation
is avoiding the use of the root-squash option when exporting NFS
volumes for use by libvirt storage pools. Note that in general, the
use of root-squash NFS does not add any real security (it makes
certain tasks harder for a root user, but the root user can
trivially change ids to another user to still perform those tasks).
Furthermore, it is possible to prevent the denial of service attacks
by stopping the use of the fine grained access control mechanism
(while this does not prevent a crash, such a crash is no longer a
security problem as there is no longer a privilege boundary between
a user creating a volume and a user with full system access).

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.2.14
   Broken in: v1.2.15
   Broken in: v1.2.16
   Broken in: v1.2.17
   Broken in: v1.2.18
   Broken in: v1.2.19
   Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
   Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
    Fixed by: db9277a39bc364806e8d3e08a08fc128d59b7094
    Fixed by: 691dd388aee99f8b06177540303b690586d5f5b3
    Fixed by: 35847860f65f92e444db9730e00cdaef45198e0c

      Branch: v1.2.14-maint
   Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
    Fixed by: 605b12068392d29beb44a8ab7d6ec176d6b05237
    Fixed by: 454cb7c40dbcff84192094963d71369ac7d94546

      Branch: v1.2.15-maint
   Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
    Fixed by: 3c41b3ea5e68f391b8ff901082608bda5f7f3fbc
    Fixed by: fe2cf73800e3be87d1d4d811facb3f2be48126e5

      Branch: v1.2.16-maint
   Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
   Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
    Fixed by: 9e48400f4606bac16b7e4db195f610928c3d5a04
    Fixed by: 2f4b41861c1729ff4b754986782d7428ccdca455
    Fixed by: 7f0505705c70f7eb1e435a2e7732d1a74abfadfd

      Branch: v1.2.17-maint
   Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
   Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
    Fixed by: d055989083df4bf68eb1388d327ebffb3501bb83
    Fixed by: 98242f94cd181f0257535479369054f07f951b21
    Fixed by: a3ee6885d95a2ce6fb7e58bb0737cfb1612e0fb7

      Branch: v1.2.18-maint
   Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
   Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
    Fixed by: e63b32e22dafd99547f82f5383fdbf58b5f651a1
    Fixed by: 075eb526c9817d9d8e3a759e3fbe180d8d326dcf
    Fixed by: 966cc922221be2b8cc6a9842ed0dc4cf1568a7b3

      Branch: v1.2.19-maint
   Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
   Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
    Fixed by: e0025d2967bbe3f283937216c9e2c12b6e9d1010
    Fixed by: 8b1d84e640f1a6e6ebb47caf23a664e2f651b32d
    Fixed by: 3468542f06f6f5dc94defa1603c6a6adea3e2da8


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]