Bug 1048627 (CVE-2013-6456)

Summary: CVE-2013-6456 libvirt: unsafe usage of paths under /proc/$PID/root
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, berrange, bsarathy, clalancette, itamar, jforbes, jkurik, laine, libvirt-maint, pfrields, rbalakri, rhs-bugs, rwheeler, ssaha, vbellur, veillard, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20131217,reported=20131224,source=redhat,cvss2=6.2/AV:A/AC:L/Au:S/C:N/I:P/A:C,rhel-5/libvirt=notaffected,rhel-6/libvirt=notaffected,rhel-7/libvirt=wontfix,rhes-2.0/libvirt=notaffected,rhes-2.1/libvirt=notaffected,fedora-all/libvirt=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-21 10:35:46 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1045643, 1048628    
Bug Blocks: 1048642    

Description Murray McAllister 2014-01-05 18:25:06 EST
Eric Blake from Red Hat notes:

The LXC driver will open paths under /proc/$PID/root for some operations it performs on running guests. For the virDomainShutdown and virDomainReboot APIs it will use this to access the /dev/initctl path in the container. For the virDomainDeviceAttach / virDomainDeviceDettach APIs it will use this to create device nodes in the container's /dev filesystem. If any of the path components under control of the container are symlinks the container can cause the libvirtd daemon to access the incorrect files.

Impact
------

A container can cause the administrator to shutdown or reboot the host OS if /dev/initctl in the container is made to be an absolute symlink back to itself or /run/initctl. A container can cause the host administrator to mknod in an arbitrary host directory when invoking the virDomainDeviceAttach API by replacing '/dev' with an
absolute symlink. A container can cause the host administrator to delete host device when invoking the virDomainDeviceDettach API by replacing '/dev' with an absolute symlink.

Workaround
----------

Do not use the virDomainShutdown or virDomainReboot APIs without also passing the VIR_DOMAIN_SHUTDOWN_SIGNAL or VIR_DOMAIN_REBOOT_SIGNAL flags respectively. These will cause the LXC driver to send a SIGTERM or SIGHUP signal respectively, to the init process instead of using /dev/initct. Do not use the virDomainDeviceAttach or virDomainDeviceDetach APIs at all unless the guest OS is trusted.

This issue affects the versions of libvirt in Fedora 19 and later. Red Hat Enterprise Linux 5 and 6 are not affected.
Comment 1 Murray McAllister 2014-01-05 18:30:12 EST
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1048628]
Comment 2 Fedora Update System 2014-02-28 13:32:23 EST
libvirt-1.1.3.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.