Bug 1694880 (CVE-2019-3886)

Summary: CVE-2019-3886 libvirt: virsh domhostname command discloses guest hostname in readonly mode
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agedosier, berrange, bmcclain, clalancette, dfediuck, eblake, eedri, erik-fedora, itamar, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, marcandre.lureau, mgoldboi, michal.skrivanek, pkrempa, rbalakri, rjones, sbonazzo, security-response-team, sherold, sisharma, veillard, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:52:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1695456, 1696054, 1696055    
Bug Blocks: 1694881    

Description Laura Pardo 2019-04-01 22:57:43 UTC
A vulnerability was found in libvirt versions >= 4.8.0. An information exposure allows to retrieve the guest hostname under readonly mode


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1692619

Comment 2 Daniel Berrangé 2019-04-03 13:53:41 UTC
NB, the flaw isn't the fact that the guest hostname is disclosed, but rather that the act of getting the hostname involves talking to the guest agent. The guest agent is untrusted and can block libvirt operations for a period of time, and so unprivileged users must not be allowed to run operations that talk to the guest agent.

Comment 3 Daniel Berrangé 2019-04-03 15:15:26 UTC
Patches posted upstream at:

  https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html

NB part of the flaw was found to also affect the virDomainGetTime API, in addition to virDomainGetHostname.

Comment 4 Doran Moppert 2019-04-04 05:38:21 UTC
Thanks Daniel,

I've altered the doctext to hopefully more faithfully represent the nature of the flaw, and changed the CVSS vector to A:L representing potential Availability impact by blocking libvirt.

Comment 5 Doran Moppert 2019-04-04 05:38:43 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-rawhide [bug 1696055]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-rawhide [bug 1696054]