[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvirt-announce] LSN-2019-0007: virConnect*HypervisorCPU do not check for read-only connection



       Libvirt Security Notice: LSN-2019-0007
       ======================================

      Summary: virConnect*HypervisorCPU do not check for
               read-only connection
  Reported on: 20190604
 Published on: 20190620
     Fixed on: 20190620
  Reported by: Ján Tomko <jtomko redhat com>
   Patched by: Ján Tomko <jtomko redhat com>
     See also: CVE-2019-10168

Description
-----------

The virConnect*HypervisorCPU APIs allow reporting CPU capabilities
from arbitrary emulator binaries without checking for a read-only
connection. This allows unprivileged users to execute arbitrary
binaries with elevated privileges.

Impact
------

The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can provide
an arbitrary emulator, executing arbitrary binaries as the
configured QEMU user. Since v5.1.0, the emulator binary is run with
CAP_DAC_OVERRIDE, essentially having root privileges.

Workaround
----------

Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.

Affected product
----------------

       Name: libvirt
 Repository: git://libvirt.org/git/libvirt.git
             http://libvirt.org/git/?p=libvirt.git

     Branch: master
  Broken in: v4.4.0
  Broken in: v4.5.0
  Broken in: v4.6.0
  Broken in: v4.7.0
  Broken in: v4.8.0
  Broken in: v4.9.0
  Broken in: v4.10.0
  Broken in: v5.0.0
  Broken in: v5.1.0
  Broken in: v5.2.0
  Broken in: v5.3.0
  Broken in: v5.4.0
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: bf6c2830b6c338b1f5699b095df36f374777b291

     Branch: v4.4-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: a6116fc8618300f6e2a082396812363310d1420f

     Branch: v4.5-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: 415cc5c0644304fd1e1bb721a092cf65e07be79f

     Branch: v4.6-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: 890965e8943a8837b41c3c6f366135ccfef48fb3

     Branch: v4.7-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: f5ace9c05d59b70d4899199a187cb32ec6f600d8

     Branch: v4.8-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: fc30929ffdf339d920b2e2183faf4373920bff6f

     Branch: v4.9-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c

     Branch: v4.10-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: 09c2635d0deec198de0f250abc2958f2d1c09eaa

     Branch: v5.0-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: 1ef98539a655109480628c91feac48c3c69675ef

     Branch: v5.1-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: 2a3f95a40725f743b5189868bcc1a78d922517f6

     Branch: v5.1.0-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a

     Branch: v5.2-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: 45ae5e529d4e886f47dacca9dfe5a08d95a3425a

     Branch: v5.3-maint
  Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
  Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
   Fixed by: d8e4d13446a0b04b757bd28c242a4cfecaaa8f1e


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]