Bug 1677108 (CVE-2019-3831)

Summary: CVE-2019-3831 vdsm: privilege escalation to root via systemd_run
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, bronhaim, danken, dblechte, dfediuck, eedri, fromani, lsurette, mgoldboi, michal.skrivanek, mzamazal, nsoffer, rhs-bugs, rhsc-qe-bugs, sabose, saggi, sankarshan, sbonazzo, sherold, sisharma, srevivo, ssaha, storage-qa-internal, vbellur, ycui, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vdsm 4.30.9 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. The systemd_run function exposed to the vdsm system user could be abused to execute arbitrary commands as root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:47:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1677109, 1677458, 1678090, 1678629    
Bug Blocks: 1677100    

Description Doran Moppert 2019-02-14 04:05:51 UTC 
vdsm v4.19 through v4.30.3 and v4.30.5 through v4.30.8 exposed a systemd_run() function to the vdsm system user, which could be abused to run arbitrary commands as root. This breaks the defense-in-depth of having a non-root vdsm system account. While not exploitable by attackers under normal circumstances, this flaw could lead to a compromise of services running under the vdsm account being escalated to a full root compromise.

Upstream fix:

https://gerrit.ovirt.org/#/c/97659/

Originally introduced by:

commit e56541ccb372e106eeb4fc3f7afc575f8dd32de2
Author: Francesco Romani <fromani>
Date:   Fri Apr 22 10:15:54 2016 +0200

    supervdsm: expose systemd utilities                             

Removed by:

commit f85f0527f1421618714e89eee03ee2f0400a65ae
Author: Francesco Romani <fromani>
Date:   Thu Nov 22 13:44:25 2018 +0100

    supervdsm: systemd: remove support

Re-introduced by:

commit daf5b3c3aaa3796b8f9be22fe2059f6f6152a3ce
Author: Nir Soffer <nsoffer>
Date:   Sun Dec 9 16:53:28 2018 +0200

    supervdsm: Add back systemd support
Comment 1 Doran Moppert 2019-02-14 04:06:05 UTC 
Created vdsm tracking bugs for this issue:

Affects: fedora-all [bug 1677109]
Comment 5 Nir Soffer 2019-02-16 21:54:00 UTC 
(In reply to Doran Moppert from comment #0)

Removed again by:

commit f6de9ce61380bbad5c98e7f2e8b26b9de74cf9b5
Author: Nir Soffer <nsoffer>
Date:   Fri Feb 8 17:53:00 2019 +0200

    systemd: Remove systemd_run() supervdsm service
Comment 6 Nir Soffer 2019-02-16 21:57:08 UTC 
For 4.2, we have this fix:
https://gerrit.ovirt.org/c/97737/
Comment 8 errata-xmlrpc 2019-03-05 11:09:22 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0457 https://access.redhat.com/errata/RHSA-2019:0457
Comment 9 errata-xmlrpc 2019-03-05 11:09:30 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0458 https://access.redhat.com/errata/RHSA-2019:0458