Bug 1172176 (CVE-2014-8119)

Summary: CVE-2014-8119 netcf: augeas path expression injection via interface name
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jrusnack, laine, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: netcf 0.2.7 Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in netcf. A specially crafted interface name could cause an application using netcf (such as the libvirt daemon) to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 05:25:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1165965, 1165966, 1186316, 1186318, 1207396, 1207397    
Bug Blocks: 1172181, 1210268    

Description Martin Prpič 2014-12-09 14:22:21 UTC 
A flaw was found in the way the netcf's find_ifcfg_path() function processed certain XPath expressions. An attacker able to supply a specially crafted XML file to an application using netcf could cause that application to crash.

Acknowledgements:

This issue was discovered by Hao Liu of Red Hat.
Comment 2 Tomas Hoger 2014-12-10 14:36:35 UTC 
augeas-devel mailing list thread, discussing lack of ways to safely include untrusted user-supplied input in path strings used in augeas queries:

https://www.redhat.com/archives/augeas-devel/2014-December/msg00000.html
Comment 3 Tomas Hoger 2015-03-30 19:49:11 UTC 
Augeas upstream issue that tracks changes required to completely fix this netcf issue:

https://github.com/hercules-team/augeas/pull/198

The changes are:

- Addition of new API - aug_escape_name() - which can be used to escape untrusted inputs before using them as part of path expressions passed to APIs as aug_match() or aug_get().

- The aug_match() is changed to return properly escaped output that can be safely passed back to aug_get().
Comment 4 Tomas Hoger 2015-03-30 20:20:31 UTC 
The netcf uses the Augeas library to read network configuration files.  It constructs paths to configuration files based on supplied interface name, and uses those paths as arguments for Augeas' aug_match()/aug_get() calls.

However, these Augeas APIs do not handle supplied provided paths as static and rather evaluates them as "path expressions", an XPath-like expressions, documented here:

https://github.com/hercules-team/augeas/wiki/Path-expressions

Augeas does not provide any way to force handling them as static paths rather than evaluating them as path expressions.  Before the changes mentioned above, it also did not provide any mechanisms to escape user-supplied inputs before adding them to path expressions.

An interface name containing Augeas path expression makes Augeas API call return value netcf does not expect, leading to NULL pointer deference and application crash.  As netcf is used by libvirt, this flaw can allow an attacker able to establish read-only connection to libvirt daemon (in the default configuration, any local user) to cause it to crash.
Comment 5 Tomas Hoger 2015-03-30 20:22:43 UTC 
Lifting embargo.
Comment 6 Tomas Hoger 2015-03-30 20:23:30 UTC 
Created netcf tracking bugs for this issue:

Affects: fedora-all [bug 1207396]
Affects: epel-5 [bug 1207397]
Comment 8 Tomas Hoger 2015-04-09 11:33:47 UTC 
Fixed in netcf 0.2.7:
https://git.fedorahosted.org/cgit/netcf.git/tree/NEWS?id=1dd6346

Upstream commits:
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=bf3a8c403065201d2ec5838334bb98fc91fd14d8
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=d8146041b5b969d709da4433fead262b51a397d7
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=eae312f5aacae061d468c58196a56f922b15e947
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=2b4ba71272eb9ff244db3f9cb2a787a79cd18b2e
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=841cace8c5a12ee9b44ecf9872f27a2f938a396a
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=62842370aadb68ae181aeb53522c2411b483abb7
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=2b9f6a4b450548f7f5d8cd85b6bb6f2970e183e0
https://git.fedorahosted.org/cgit/netcf.git/commit/?id=3d961693e98d9b0dc6f649ad598c6c402401c151
Comment 9 Fedora Update System 2015-04-29 13:04:07 UTC 
netcf-0.2.8-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2015-05-10 23:38:51 UTC 
netcf-0.2.8-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-05-11 00:08:33 UTC 
netcf-0.2.8-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Huzaifa S. Sidhpurwala 2015-07-27 04:57:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHBA-2015:1307 https://rhn.redhat.com/errata/RHBA-2015-1307.html
Comment 13 Huzaifa S. Sidhpurwala 2015-07-27 04:58:26 UTC 
Statement:

(none)
Comment 14 errata-xmlrpc 2015-11-19 08:58:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2248 https://rhn.redhat.com/errata/RHSA-2015-2248.html