Bug 1706067 (CVE-2019-10132)

Summary: CVE-2019-10132 libvirt: wrong permissions in systemd admin-sock due to missing SocketMode parameter
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agedosier, berrange, clalancette, dmoppert, eblake, erik-fedora, itamar, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, marcandre.lureau, pkrempa, rbalakri, richard.poettler, rjones, security-response-team, sisharma, ssaha, vbellur, veillard, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvirt in version 4.1.0 and earlier. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:55:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1706666, 1706667, 1706668, 1706669, 1706670, 1706671, 1706672, 1706673, 1707185, 1712497, 1712498    
Bug Blocks: 1704967    
Attachments:
Description Flags
admin: reject clients unless their UID matches the current UID
none
locking: restrict sockets to mode 0600
none
logging: restrict sockets to mode 0600 none

Description Laura Pardo 2019-05-03 13:16:28 UTC
A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.

Comment 5 Doran Moppert 2019-05-07 07:07:36 UTC
Created attachment 1564991 [details]
admin: reject clients unless their UID matches the current UID

Comment 6 Doran Moppert 2019-05-07 07:07:59 UTC
Created attachment 1564992 [details]
locking: restrict sockets to mode 0600

Comment 7 Doran Moppert 2019-05-07 07:08:23 UTC
Created attachment 1564993 [details]
logging: restrict sockets to mode 0600

Comment 9 Doran Moppert 2019-05-07 07:11:51 UTC
The three patches above, provided by Daniel Berrange, address the issue in multiple layers:  the first adds client verification (as is already performed for libvirt-* sockets), preventing other users from accessing the socket.  The others restrict the mode of these sockets to 0600, reinforcing the protection with filesystem security.

Comment 10 Doran Moppert 2019-05-07 07:19:12 UTC
These sockets enabled if any guest VMs have been started on the host.  The impact of this vulnerability is that any local user can send administrative commands, which could result in denial of service against the libvirt service, any guests managed against it, and directing logs to any location on the host filesystem.  This last vector could lead to denial of service against other processes, or potentially even privilege escalation.

Comment 11 Doran Moppert 2019-05-08 01:21:34 UTC
Acknowledgments:

Name: Daniel P. Berrange (Red Hat)

Comment 15 Laura Pardo 2019-05-21 15:50:39 UTC
External References:

https://security.libvirt.org/2019/0003.html

Comment 16 Laura Pardo 2019-05-21 15:51:44 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1712498]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1712497]

Comment 17 errata-xmlrpc 2019-05-23 15:57:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1264 https://access.redhat.com/errata/RHSA-2019:1264

Comment 18 errata-xmlrpc 2019-05-23 16:09:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1268 https://access.redhat.com/errata/RHSA-2019:1268

Comment 20 errata-xmlrpc 2019-06-11 13:35:54 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.0.0.Z

Via RHSA-2019:1455 https://access.redhat.com/errata/RHSA-2019:1455