[Libvirt-announce] LSN-2019-0005: virDomainManagedSaveDefineXML does not check for read-only connection

Ján Tomko jtomko at redhat.com
Mon Jun 24 12:34:29 UTC 2019


        Libvirt Security Notice: LSN-2019-0005
        ======================================

       Summary: virDomainManagedSaveDefineXML does not check for
                read-only connection
   Reported on: 20190604
  Published on: 20190620
      Fixed on: 20190620
   Reported by: Matthias Gerstner <mgerstner at suse.de>
    Patched by: Ján Tomko <jtomko at redhat.com>
      See also: CVE-2019-10166

Description
-----------

The virDomainManagedSaveDefineXML API redefines the manage-saved
domain XML without checking for a read-only connection. This allows
unprivileged users to check for existence of arbitrary files or
executing arbitrary binaries with elevated privileges.

Impact
------

The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can provide
an arbitrary emulator, executing arbitrary binaries as the
configured QEMU user. Since v5.1.0, the emulator binary is run with
CAP_DAC_OVERRIDE, essentially having root privileges.

Workaround
----------

Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v3.7.0
   Broken in: v3.8.0
   Broken in: v3.9.0
   Broken in: v3.10.0
   Broken in: v4.0.0
   Broken in: v4.1.0
   Broken in: v4.2.0
   Broken in: v4.3.0
   Broken in: v4.4.0
   Broken in: v4.5.0
   Broken in: v4.6.0
   Broken in: v4.7.0
   Broken in: v4.8.0
   Broken in: v4.9.0
   Broken in: v4.10.0
   Broken in: v5.0.0
   Broken in: v5.1.0
   Broken in: v5.2.0
   Broken in: v5.3.0
   Broken in: v5.4.0
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: db0b78457f183e4c7ac45bc94de86044a1e2056a

      Branch: v3.7-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: e7d9c8899fc7751201b46b6cf6bff4eadb38af2f

      Branch: v4.1-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: d9a1f3debad411756f53ab8ab81e44ab0bb50e0a

      Branch: v4.2-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 1813138f6b00058285e325191d50c41ace39e5b3

      Branch: v4.3-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 9816854ac4e5ccd87cf82320b4550671e75f6509

      Branch: v4.4-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: e777cce08e069e29deedec540d463ed70c29e92c

      Branch: v4.5-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: d025c10d54975fe98927be85f33146e780c28d52

      Branch: v4.6-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 00e673c93fc3d0cfed274cc7a1ec2c52260c8262

      Branch: v4.7-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 6da721ea37bf3624ff9922637cfa657d2dcb20f9

      Branch: v4.8-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 6dc29a174ae204b1ae13fed0f533818ad6d24b9f

      Branch: v4.9-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1

      Branch: v4.10-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 3f744efec31959f7643849f6a3708198bcdfc6ae

      Branch: v5.0-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: a064d492272bcb0029b140ec4e18fce1ac0ec5b2

      Branch: v5.1-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 58c7c3fc4a0f15544c2054ed4682ff5d740681ab

      Branch: v5.1.0-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6

      Branch: v5.2-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: 96bca3af450cc62183b91a361f7024f93126bc49

      Branch: v5.3-maint
   Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
    Fixed by: f4dabe99f7f46520f2967f3e068fcbeb54e617df



More information about the Libvirt-announce mailing list