Bug 1245647 (CVE-2015-5160)
| Summary: | CVE-2015-5160 libvirt: Ceph id/key leaked in the process list | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agedosier, berrange, carnil, chrisw, clalancette, eblake, itamar, jdenemar, jsuchane, knoel, laine, libvirt-maint, nlevinki, pkrempa, rbalakri, rfortier, security-response-team, sgirijan, sisharma, smohan, ssaha, vbellur, veillard, virt-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-08 06:42:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1182074, 1251605, 1251607 | ||
| Bug Blocks: | 1245650, 1289176 | ||
|
Description
Vasyl Kaigorodov
2015-07-22 13:16:45 UTC
Why is this bug embargoed? It has been public knowledge since 2011 that passing Ceph keys on the command line is undesirable: https://www.redhat.com/archives/libvir-list/2011-November/msg00853.html and we're STILL waiting on qemu to give us a file-descriptor backdoor for RBD disks that will allow us to pass auth without using the command line. Corrected CVSS2 scoring (this only affects confidentiality). FYI, I am doing some work on QEMU which should allow us to address this problem. Will post a link to patches when there's something to show. The QEMU side of the fix for this problem is queued for the QEMU 2.6 release: https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg01624.html Work can now begin on the libvirt side of the fix Here's a run through of what I think we should do in libvirt to fix this. - Every libvirt KVM guest that is started should be given a master secret in /var/lib/libvirt/qemu/$GUEST-master.key This should be provided to QEMU at startup using -object secret,id=master0,file=/var/lib/libvirt/qemu/$GUEST-master.key,format=base64 - When we need to pass secrets to QEMU for network disk passwords, or for decryption passphrases, or for TLS certificate passwords, we should encrypt the secret with the master key, and pass the encrypted secret data inline using "-object secret,id=sec0,data=[base64 ciphertext],keyid=master0,iv=[base64 IV],format=base64" This ensures that we don't need to mess around with file descriptor passing or creating/deleting temporary files to hold the secret for hotplugging disks. It is also nice because users can still cut + paste the command line args from /var/log/libvirt/qemu/$GUEST.log and have things "just work" even with secrets in use. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2577 https://rhn.redhat.com/errata/RHSA-2016-2577.html Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates of Enterprise Linux 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |