Bug 1720115 (CVE-2019-10161)

Summary: CVE-2019-10161 libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agedosier, berrange, clalancette, cperry, dblechte, dfediuck, eblake, eedri, erik-fedora, itamar, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, marcandre.lureau, mgoldboi, michal.skrivanek, pkrempa, rbalakri, richard.poettler, rjones, sbonazzo, security-response-team, sherold, sisharma, ssaha, vbellur, veillard, virt-maint, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt 4.10.1, libvirt 5.4.1 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:07:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1720496, 1720500, 1720504, 1720510, 1720514, 1720518, 1720522, 1720526, 1720529, 1721920, 1722463, 1722467    
Bug Blocks: 1718800    

Description Doran Moppert 2019-06-13 07:53:53 UTC 
It was discovered that libvirtd would permit readonly clients to use the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which 
would be accessed with the permissions of the libvirtd process.  An
attacker with access to the libvirtd socket could use this to probe the 
existence of arbitrary files, cause denial of service or cause libvirtd 
to execute arbitrary programs.

This vulnerability was first present in libvirt v0.9.4.
Comment 6 Doran Moppert 2019-06-19 09:08:24 UTC 
Statement:

* This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro.  Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.
* Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.
* On Red Hat Enterprise Linux 6, the impact of this vulnerability is limited to denial of service or disclosing the existence of arbitrary files.  Privilege escalation is not possible.  For RHEL6, this CVE is rated as Moderate severity with 7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Comment 8 Doran Moppert 2019-06-20 02:05:40 UTC 
External References:

https://access.redhat.com/libvirt-privesc-vulnerabilities
Comment 9 Doran Moppert 2019-06-20 02:05:42 UTC 
Mitigation:

The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`.  The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.
Comment 10 Doran Moppert 2019-06-20 12:13:24 UTC 
Upstream patch:

https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
Comment 11 Doran Moppert 2019-06-20 12:14:22 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1722463]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1722467]
Comment 12 errata-xmlrpc 2019-06-20 14:13:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1578 https://access.redhat.com/errata/RHSA-2019:1578
Comment 13 errata-xmlrpc 2019-06-20 15:33:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1579 https://access.redhat.com/errata/RHSA-2019:1579
Comment 14 errata-xmlrpc 2019-06-20 15:48:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1580 https://access.redhat.com/errata/RHSA-2019:1580
Comment 15 Doran Moppert 2019-07-02 04:31:59 UTC 
Acknowledgments:

Name: Matthias Gerstner (SUSE)
Comment 17 errata-xmlrpc 2019-07-08 09:19:06 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:1699 https://access.redhat.com/errata/RHSA-2019:1699
Comment 18 errata-xmlrpc 2019-07-11 16:26:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8 Advanced Virtualization

Via RHSA-2019:1762 https://access.redhat.com/errata/RHSA-2019:1762
Comment 19 Product Security DevOps Team 2019-07-12 13:07:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10161