Bug 1609779

Summary: Unquoted Service Paths Windows guest tools
Product: [oVirt] ovirt-guest-tools Reporter: Doron Fediuck <dfediuck>
Component: Packaging.installerAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matyáš <pmatyas>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2-1CC: bugs, lsurette, mkenneth, pmatyas, srevivo, tburke
Target Milestone: ovirt-4.2.6Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: x86_64   
OS: Windows   
Whiteboard:
Fixed In Version: ovirt-wgt-4.2-3 Doc Type: Bug Fix
Doc Text:
Due to an unquoted path in oVirt Windows Guest Tools installer, making them vulnerable to a common exploit documented at https://www.commonexploits.com/unquoted-service-paths/ The issue has been fixed in this new release.
 Story Points: ---
Clone Of:
: 1609820 (view as bug list) Environment:
Last Closed: 2018-09-03 15:07:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Doron Fediuck 2018-07-30 12:32:38 UTC 
Description of problem:
This was reported by a community user, and examined with the SRT representative to be a hardening issue and not security issue;

The services ovirt installs don't have quoted binary paths, as you can see bellow.

  OVirtGuestService : C:\Program Files (x86)\oVirt Guest Tools\OVirtGuestService.exe
  vdservice : C:\Program Files (x86)\oVirt Guest Tools\64\vdservice.exe
  BalloonService : C:\Program Files (x86)\oVirt Guest Tools\drivers\Balloon\2k12r2\amd64\blnsvr.exe

Version-Release number of selected component (if applicable):
ovirt-guest-tools-iso-4.2-1.el7.centos

Actual results:
Unquoted path with space for guest binaries.

Expected results:
Quoted path being used.

Additional info:
For more information you can take a look at https://www.commonexploits.com/unquoted-service-paths/ and http://cwe.mitre.org/data/definitions/428.html
Comment 1 Sandro Bonazzola 2018-08-14 19:11:33 UTC 
Build is available in ovirt-4.2-pre repo: https://resources.ovirt.org/pub/ovirt-4.2-pre/iso/oVirt-toolsSetup/4.2-3.el7/oVirt-toolsSetup-4.2-3.el7.iso
Comment 2 Petr Matyáš 2018-08-15 10:04:26 UTC 
Verified on oVirt Guest Tools 4.2-3.el7

All paths are quoted correctly.