This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes

Bug 1005332 (CVE-2013-4311)

Summary: CVE-2013-4311 libvirt: insecure calling of polkit
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: berrange, chrisw, dyuan, eblake, jdenemar, jkurik, mzhan, pmatouse, rbalakri, rpacheco, rwheeler, security-response-team, ssaha, vbellur, ydu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130918,reported=20130828,source=distros,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,fedora-all/libvirt=affected,rhel-5/libvirt=notaffected,rhel-6/libvirt=affected,rhel-7/libvirt=notaffected,rhes-2.0/libvirt=affected,rhes-2.1/libvirt=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1006265, 1006266, 1006272, 1009539    
Bug Blocks: 1002376, 1006244    
Attachments:
Description Flags
Fix for git master 1/3
none
Fix for git master 2/3
none
Fix for git master 3/3
none
Fix for rhel-6 0.10.2 branch 1/2
none
Fix for rhel-6 0.10.2 branch 2/2 none

Description Kurt Seifried 2013-09-06 12:38:12 EDT
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 
bz 1002375).

As part of the investigation of this issue it was found that an issue also 
occurs in libvirt, specifically in how it invokes polkit. There are two ways 
for polkit to be invoked, one is via the API which supports  passing a UID to 
the secure function polkit_unix_process_new_for_owner(), the second is via the 
command line (pkcheck) which does not support passing a UID to the function 
polkit_unix_process_new_full(). libvirt used the insecure way to invoke 
polkit, resulting in a privilege escalation vulnerability.
Comment 1 Daniel Berrange 2013-09-10 06:07:26 EDT
Created attachment 795917 [details]
Fix for git master 1/3
Comment 2 Daniel Berrange 2013-09-10 06:07:52 EDT
Created attachment 795918 [details]
Fix for git master 2/3
Comment 3 Daniel Berrange 2013-09-10 06:08:24 EDT
Created attachment 795919 [details]
Fix for git master 3/3
Comment 4 Daniel Berrange 2013-09-10 06:08:57 EDT
Created attachment 795920 [details]
Fix for rhel-6 0.10.2 branch 1/2
Comment 5 Daniel Berrange 2013-09-10 06:09:22 EDT
Created attachment 795921 [details]
Fix for rhel-6 0.10.2 branch 2/2
Comment 8 Vincent Danen 2013-09-18 11:11:26 EDT
This is now public:

http://www.openwall.com/lists/oss-security/2013/09/18/4
Comment 9 Daniel Berrange 2013-09-18 11:19:38 EDT
The relevant upstream GIT master commits are

commit 922b7fda77b094dbf022d625238262ea05335666
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Aug 28 15:25:40 2013 +0100

    Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
    
    With the existing pkcheck (pid, start time) tuple for identifying
    the process, there is a race condition, where a process can make
    a libvirt RPC call and in another thread exec a setuid application,
    causing it to change to effective UID 0. This in turn causes polkit
    to do its permission check based on the wrong UID.
    
    To address this, libvirt must get the UID the caller had at time
    of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
    triple to the pkcheck program.
    
    This fix requires that libvirt is re-built against a version of
    polkit that has the fix for its CVE-2013-4288, so that libvirt
    can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
    
    Signed-off-by: Colin Walters <walters@redhat.com>
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

commit e65667c0c6e016d42abea077e31628ae43f57b74
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Aug 28 15:22:05 2013 +0100

    Ensure system identity includes process start time
    
    The polkit access driver will want to use the process start
    time field. This was already set for network identities, but
    not for the system identity.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Thu Aug 22 16:00:01 2013 +0100

    Also store user & group ID values in virIdentity
    
    Future improvements to the polkit code will require access to
    the numeric user ID, not merely user name.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 10 Vincent Danen 2013-09-18 11:25:21 EDT
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1009539]
Comment 11 errata-xmlrpc 2013-09-19 14:08:47 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1272 https://rhn.redhat.com/errata/RHSA-2013-1272.html
Comment 12 Fedora Update System 2013-09-30 22:14:20 EDT
libvirt-0.10.2.8-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-10-02 02:40:25 EDT
libvirt-1.0.5.6-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-10-12 00:33:33 EDT
libvirt-1.1.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.