Bug 1706067 (CVE-2019-10132)
Summary: | CVE-2019-10132 libvirt: wrong permissions in systemd admin-sock due to missing SocketMode parameter | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | unspecified | CC: | agedosier, berrange, clalancette, dmoppert, eblake, erik-fedora, itamar, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, marcandre.lureau, pkrempa, rbalakri, richard.poettler, rjones, security-response-team, sisharma, ssaha, vbellur, veillard, virt-maint | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
Doc Text: |
A flaw was found in libvirt in version 4.1.0 and earlier. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- | ||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2019-06-10 10:55:02 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 1706666, 1706667, 1706668, 1706669, 1706670, 1706671, 1706672, 1706673, 1707185, 1712497, 1712498 | ||||||||||
Bug Blocks: | 1704967 | ||||||||||
Attachments: |
|
Description
Laura Pardo
2019-05-03 13:16:28 UTC
Created attachment 1564991 [details]
admin: reject clients unless their UID matches the current UID
Created attachment 1564992 [details]
locking: restrict sockets to mode 0600
Created attachment 1564993 [details]
logging: restrict sockets to mode 0600
The three patches above, provided by Daniel Berrange, address the issue in multiple layers: the first adds client verification (as is already performed for libvirt-* sockets), preventing other users from accessing the socket. The others restrict the mode of these sockets to 0600, reinforcing the protection with filesystem security. These sockets enabled if any guest VMs have been started on the host. The impact of this vulnerability is that any local user can send administrative commands, which could result in denial of service against the libvirt service, any guests managed against it, and directing logs to any location on the host filesystem. This last vector could lead to denial of service against other processes, or potentially even privilege escalation. Acknowledgments: Name: Daniel P. Berrange (Red Hat) External References: https://security.libvirt.org/2019/0003.html Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 1712498] Created mingw-libvirt tracking bugs for this issue: Affects: fedora-all [bug 1712497] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1264 https://access.redhat.com/errata/RHSA-2019:1264 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1268 https://access.redhat.com/errata/RHSA-2019:1268 This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.0.0.Z Via RHSA-2019:1455 https://access.redhat.com/errata/RHSA-2019:1455 |